• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 288
  • Last Modified:

Do packet sniffers need to load at boot time?

Background:

The company I work for is considering purchasing a security product that attempts to prevent the workstation from running a packet sniffer. (It does a lot more than that, but I have questions about this function.) For Windows, it only detects whether a sniffer is running on the workstation at boot time. Supposedly it detects "unusual interactions" with the NIC / NDIS.

Question:

Is there anything inherent in Windows that would require a sniffer to load & interact with NDIS at boot time, or could a sniffer be loaded after boot time? My concern is that this product may be specifically targeting two sniffers that just happen to load at boot time; their literature specifically mentions WindDump and dsniff.

BTW, I realize this product does not prevent the "protected" workstation from being eavesdropped on by another "unprotected" machine sniffing on the network; it only prevents the "protected" machine from becoming an eavesdropper.


Thanks in advance,
parkerea
0
parkerea
Asked:
parkerea
  • 2
  • 2
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
Most would load after booting, as they would certainly rely on the OS for it's functions. Ethereal and Tcpdump are more popular than dsniff. What they are detecting is if the NIC is in promiscious mode
http://www.microsoft.com/downloads/details.aspx?familyid=1a10d27a-4aa5-4e96-9645-aa121053e083&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&displaylang=en
http://ntsecurity.nu/toolbox/promiscdetect/
http://www.securityfriday.com/promiscuous_detection_01.pdf

It's simple to write a program or script that can detect the most popular "sniffing" programs... that's a no brainer. There are techniques to detect nic's listening in promiscuous mode using arp responses as outlined in the pdf above, and it's also easy to detect a nic on the local machine in promisc mode.
http://packetstormsecurity.nl/sniffers/antisniff/
-rich
0
 
parkereaAuthor Commented:
Thank you richrumble -- tremendous info. Since I am wondering if it is valid to only check for the existence of a sniffer at boot time, perhaps the root question should be something like "Can a NIC be changed to promiscious mode after boot time, or after logging onto Windows XP?"


Thanks again,
parkerea
0
 
Rich RumbleSecurity SamuraiCommented:
I think that they are changed exclusivly after boot time. Unless there is some sort of "root-kit" that may be inplace doing this before the os has fully loaded. The default for NIC's is always in normal mode in M$. I'm not sure there is a registry entry or anything that can be set to make the nic come-up automatically in promisc mode.
Even the presence of M$ Network Monitor doesn't mean it's in promisc. I think it's actually kept in the NDIS driver
http://www.cswl.com/whiteppr/white/ethernet.html

-rich
0
 
parkereaAuthor Commented:
Thank you. Although my assignment is to evaluate whether this security product will interfere with our department's home grown apps, I feel I should also put some effort into evaluating its effectiveness -- the project manager is not that technical, and IMHO has a rather odd view of security (long ago I realized she installed Timbuktu without disabling the default password, and when I pointed it out rather than thanking me she screamed to the dept manager that I was "hacking into their network.")


- parkerea
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now