From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1ETOwv-0002WK-0h for garchives@archives.gentoo.org; Sat, 22 Oct 2005 19:22:37 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j9MJJKXh005554; Sat, 22 Oct 2005 19:19:20 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j9MJESx1013232 for ; Sat, 22 Oct 2005 19:14:29 GMT Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by smtp.gentoo.org with esmtp (Exim 4.43) id 1ETOrn-0004OT-M3 for gentoo-user@lists.gentoo.org; Sat, 22 Oct 2005 19:17:25 +0000 Received: from list by ciao.gmane.org with local (Exim 4.43) id 1ETOrg-0004es-Mh for gentoo-user@gentoo.org; Sat, 22 Oct 2005 21:17:13 +0200 Received: from www.buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 22 Oct 2005 21:17:12 +0200 Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 22 Oct 2005 21:17:12 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: Stealth Ethernet testing Date: Sat, 22 Oct 2005 19:16:55 +0000 (UTC) Message-ID: References: <20051022123941.737535a3.hilse@web.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051007) Sender: news X-Archives-Salt: 35d0880f-55ef-4ebb-b01a-450bb34b4ea3 X-Archives-Hash: c8c01af431b30b2cca67c25225a8655f Hans-Werner Hilse web.de> writes: > > Hi, > > On Fri, 21 Oct 2005 19:19:15 +0000 (UTC) > James tampabay.rr.com> wrote: > > > Well, after much ado, it seems quite easy (trivial) to hide >> an ethernet interface, while being able to collect reems >> of local ethernet traffic based data, from both snort and ethereal. > Yep, it's up and doesn't have an IP. If this is sufficient for you, > fine then. Well, let me see how much *quieter* I can make the interface. I do need to make the ethernet interface 100% undetectable. > > On any system, 'ping 0.0.0.0' receives responses from the local > > interface. > No, if you specify an interface for those packets, it most probably > won't receive anything. But that's nitpicking here... Hmm you should try this and ping your local ip (before setting it to 0.0.0.0). It has to be the local host, as the latencies for any other hosts on the switch/hub are almost an order of magnitude higher. Futhermore, you can disconnect any system from it's ethernet cable, and 'ping 0.0.0.0' is the same thing and 'ping localhost' and 'ping 127.0.0.1', while the interface is disconnected. snort -dvi eth0 still runs great and the eth seems undetectable > > What I need is for folks to test and verify that an ethernet > > interface setup this way, is indeed invisible (undetectable) > > by other systems. > It surely isn't. It's up, listening at least to broadcasts and > multicasts (well, it's written uppercase in the ipconfig output). Hmm, none of the commands I tried with arp, arping or hping discovered the passive ethernet interface configured to 0.0.0.0 on the same flat hub.... However, there is one thing I should point out. NONE of the systems have any entry in the their hostname file except their own name, nor is DNS running on this test network. Only IP addresses, ethernet with MACs and not networked services so the arp tables are empty intil explicit communications occur. No NFS, no samba; natta. It's a test network for machines and everything is minimize. ON the gentoo systems there is no domain name, they only query DNS servers as needed (if the machines only access another machine via IP, then DNS resolution is not necessary, and network chatter has been minimized. So if you have syntax that will discover any of the 'listen only interfaces' please send me a specific example. Nothing I have tried with ping, arping, arp, arpscan, arpwatch,or hping* discovers these ethernet interfaces. I'm not saying they are 100% stealth, but, I have not found a method to discover the interfaces, for this, minimize network. Even the gentoo system configured to 0.0.0.0 is not discoverable, as of yet. > > If you find this is not true, please tell me what you did and > > what tool/syntax you used to discover/detect a system with an > > ethernet interface set up this way.... > emerge hping2, emerge arping. And then play a little bit. Note that > ethernet frames don't rely on IPs to get to their targets. In the above > described situation, I would try to send a bunch of different ethernet > frames to that machine and see what happenes. If I were you, I would > dedicate another machine for the testing stage that sniffs if the > machine answers anything. "ping" isn't really the tool of choice here. yes, as you have suggested, but the steath systems (ifconfig eth0 inet 0.0.0.0) are still not discoverable. If you disagree (and hopefully you do) please send me explicit syntax. > If you really don't want to chose a hardware based solution and go the > software way, you should carefully inspect /proc/sys/net/... and have a > read in linux docs how to chose sysctls for not letting linux itself > spit out packages. OK, after I fully explore the possibilities with the aforementioned tools, I'll look into this. A systmems ability to resist responses (icmp, mac scans, etc) is really quite facinating and I'm sure also related to kernel configuration and low level ethernet drivers. > But using this way, it is scientifically impossible (well, nearly) to > 100% negate the theory that a package might get through. I really > recommend the already mentioned way, cutting the Tx wires. After all, > this is simple and you can be sure that you didn't forget anything. Agreed. However, before I build a custom piece of hardware/cable that open-circuits the transmit line from the desire stealth interface, I need to fully characterize things available in software, and from which tools these software/config tricks hid interfaces. Open-circuiting the stealth interface is not always an option, so fully characterizing the efforts to minimize responses of the pseudo-stealth interface, via configs, software, kernel and low level drivers, will go a long way to approaching stealth behavior of an ethernet interaface. If only a few tools/hacks can discover the existence, then I can make prepartions in the firewall and other upstream routing/interfaces so as to prevent or alert such machinations. Send me some explicit syntax scans with arpping, hping* ro whatever if you can so I can verify that these specific scans/searchs/broadcast successfully solict a response from stealth interface. Thanks, James -- gentoo-user@gentoo.org mailing list