Let’s start our discussion with working of a NIC (Network
Interface Card) or LAN Card, All NIC’s are supposed to have a 6-byte hardware
address which is well known as MAC address of the NIC. The manufacturer of NIC
assigns this MAC address such that each address is unique in the whole world
(as we all know 3-bytes from IEEE and 3-bytes from manufacturer) and NIC’s are
supposed to accept and process packets based on these MAC address, for the
processing of packets all NIC’s are going to use two filters 1.) Hardware
Filters & 2.) Software Filters which are defined bellow
1.)
Hardware Filters – such filters can be setup and
controlled by NIC and it’s Driver to receive
different kind of packets, we have following filters in this list
a.)
Unicast- Receives all packets who have
destination MAC as hardware address of NIC.
b.)
Broadcast- Receives all packets who have
destination MAC as FF:FF:FF:FF:FF:FF
c.)
Multicast- Receives all packets who have
destination a multicast group address which is already registered in multicast
list can be received by the NIC
d.)
All Multicast- Receives all packets who have
destination a multicast address (all MAC who have group bit set to 1)
e.)
Promiscuous- Receives all packets or ignore destination
address
2.)
Software Filters – Software filters are used by
OS and it’s kernel to accept or reject packet such filters are depending on OS
and used to categorized packet as per their Destination Address packet types
are different in different OS but commonly we have following types
a.)
Broadcast Packets – Destination to FF:FF:FF:FF:FF:FF
b.)
Multicast Packets – Destination to any MAC having
group bit set to 1 except Broadcast
c.)
To Self Packets – Destination to Hardware
Address of NIC
d.)
To Other Packets – Destination to MAC other than
hardware address of NIC
Whenever a packet comes to NIC checked for hardware filter
first if it’s acceptable then forwarded to software filter and categorised according to it, if it’s in acceptable category
then it can be send to upper layers for processing and response if any can be
sent to source.
Difference between Normal Mode & Promiscuous Mode
working of NIC :- In normal working mode
packet has to processed by both filters but in promiscuous mode it accept all packet in
hardware filter and apply software filter only. Sniffers or Intrusion Detection
System (IDS) kind of software enable promiscuous mode on NIC so if you want to
detect sniffer in your network you need to detect NIC working in Promiscuous
mode.
Now we come to actual discussion that how to detect NIC
working in Promiscuous mode?
As per the above
discussion it’s quite clear that if we want to check that NIC is working in
promiscuous mode we need to send such crafted packet to NIC which is
supposed to be rejected by Hardware filter but accepted by Software filter and
if we are getting response for such packet then it shows that this NIC is
working in Promiscuous mode.
Following test method can be used
to detect NIC working in promiscuous mode.
1.)
ICMP Test – we can send an ICMP request packet destination
to bogus MAC address but correct IP of the NIC and if we are getting reply from
NIC it’s working in Promiscuous mode.
As all broadcast and multicast packets are accepted by
software filter but commonly OS kernel doesn’t check all 48 bit to decide
broadcast or multicast address. So based on this we can use any of the following following address
or similar one as bogus MAC address
FF:FF:FF:FF:FF:FE – Fake broadcast address 47 bit
FF:FF:0:0:0:0 – Fake broadcast address 16 bit
FF:0:0:0:0:0 – Fake broadcast address 8 bit
01:0:0:0:0:0 – Group bit set to 1 Mac address
01:00:5E:00:00:00 – Multicast 0 address
2.)
ARP Test – we use the same technique as ICMP
test but use ARP request instead of ICMP request
3.)
DNS Test – Inject crafted packet with
non-existing IP as a source and destination and then start capturing network
traffic, because some of the sniffers have option to resolve IP in to host name
by reverse query if it’s configured in network. nodes which are sniffing
traffic will start sending reverse query for non-existing IPs and can be easily
detected in your capture.
4.)
Latency Test – Flood your network with specially
crafted packets which can be only captured by NIC working in promiscuous mode and
then try to check responsiveness of that target NIC.
None of these techniques are guaranteed
method to detect NIC working in promiscuous mode but by using multiple and different
kind of test we can increase reliability of our test result.
I hope it will help you detect sniffers or promiscuous mode NIC's in your network :-)
good one, and answer my question
ReplyDeleteThanks :-)
ReplyDeleteInformative
ReplyDeleteThanks
ReplyDelete