Tuesday 6 August 2013

How to detect NIC working in Promiscuous mode?

Let’s start our discussion with working of a NIC (Network Interface Card) or LAN Card, All NIC’s are supposed to have a 6-byte hardware address which is well known as MAC address of the NIC. The manufacturer of NIC assigns this MAC address such that each address is unique in the whole world (as we all know 3-bytes from IEEE and 3-bytes from manufacturer) and NIC’s are supposed to accept and process packets based on these MAC address, for the processing of packets all NIC’s are going to use two filters 1.) Hardware Filters & 2.) Software Filters which are defined bellow
1.)    Hardware Filters – such filters can be setup and controlled by NIC and it’s Driver  to receive different kind of packets, we have following filters in this list
a.)    Unicast- Receives all packets who have destination MAC as hardware address of NIC.
b.)    Broadcast- Receives all packets who have destination MAC as FF:FF:FF:FF:FF:FF
c.)     Multicast- Receives all packets who have destination a multicast group address which is already registered in multicast list can be received by the NIC
d.)    All Multicast- Receives all packets who have destination a multicast address (all MAC who have group bit set to 1)
e.)    Promiscuous- Receives all packets or ignore destination address

2.)    Software Filters – Software filters are used by OS and it’s kernel to accept or reject packet such filters are depending on OS and used to categorized packet as per their Destination Address packet types are different in different OS but commonly we have following types
a.)    Broadcast Packets – Destination to FF:FF:FF:FF:FF:FF
b.)    Multicast Packets – Destination to any MAC having group bit set to 1 except Broadcast
c.)     To Self Packets – Destination to Hardware Address of NIC
d.)    To Other Packets – Destination to MAC other than hardware address of NIC
Whenever a packet comes to NIC checked for hardware filter first if it’s acceptable then forwarded to software filter and categorised  according to it, if it’s in acceptable category then it can be send to upper layers for processing and response if any can be sent to source.

Difference between Normal Mode & Promiscuous Mode working of NIC :-  In normal working mode packet has to processed by both filters but in promiscuous mode it accept all packet in hardware filter and apply software filter only. Sniffers or Intrusion Detection System (IDS) kind of software enable promiscuous mode on NIC so if you want to detect sniffer in your network you need to detect NIC working in Promiscuous mode. 

Now we come to actual discussion that how to detect NIC working in Promiscuous mode?
As per the above discussion it’s quite clear that if we want to check that NIC is working in promiscuous mode we need to send such crafted packet to NIC which is supposed to be rejected by Hardware filter but accepted by Software filter and if we are getting response for such packet then it shows that this NIC is working in Promiscuous mode.

Following test method can be used to detect NIC working in promiscuous mode.
1.)    ICMP Test – we can send an ICMP request packet destination to bogus MAC address but correct IP of the NIC and if we are getting reply from NIC it’s working in Promiscuous mode.

As all broadcast and multicast packets are accepted by software filter but commonly OS kernel doesn’t check all 48 bit to decide broadcast or multicast address. So based on this we can use any of the following following address or similar one as bogus MAC address
FF:FF:FF:FF:FF:FE – Fake broadcast address 47 bit
FF:FF:0:0:0:0 – Fake broadcast address 16 bit
FF:0:0:0:0:0 – Fake broadcast address 8 bit
01:0:0:0:0:0 – Group bit set to 1 Mac address
01:00:5E:00:00:00 – Multicast 0 address
2.)    ARP Test – we use the same technique as ICMP test but use ARP request instead of ICMP request
3.)    DNS Test – Inject crafted packet with non-existing IP as a source and destination and then start capturing network traffic, because some of the sniffers have option to resolve IP in to host name by reverse query if it’s configured in network. nodes which are sniffing traffic will start sending reverse query for non-existing IPs and can be easily detected in your capture.
4.)    Latency Test – Flood your network with specially crafted packets which can be only captured by NIC working in promiscuous mode and then try to check responsiveness of that target NIC.

None of these techniques are guaranteed method to detect NIC working in promiscuous mode but by using multiple and different kind of test we can increase reliability of our test result.

I hope it will help you detect sniffers or promiscuous mode NIC's  in your network :-)