09 March 2007

Stealthy Sniffing

Will get caught if I try and sniff packets at my local coffee shop/library/school/office? - About 50 people

YES! At least, if you ask that question I'm sure you will. If you are sniffing packets, probing ports, or just plain doing something nefarious, no amount of black clothing will help you when someone sees “Johnnie Smith's Library” show up in their iTunes Window. This is probably the least of your worries if you are conspicuously huddled in the back corner pointing a cantenna at everyone with a laptop.

Before we get into this, its important to note why you should care. The legality of packet sniffing is arguable. That said, its fairly easy to bring someone down for sniffing. People having been charged with computer trespass for simply browsing the web over someone else's wireless connection. Even if you don't get convicted, do you have the money to fight a legal battle, especially after the FBI confiscates your laptop as evidence? I didn't think so. If you are doing anything even remotely shady, keep your footprint in the logs as small as possible. Yes, many low-end consumer routers do keep logs too!

From the network's point of view, its the little things that give you away. You will hardly ever see promiscuous mode detection deployed, but when some administrator sees someone that shouldn't be there screaming packets over the wire, its a pretty big hint. Most operating systems will periodically poll servers for updates. Since these are typically long transactions, you are going to be fairly easy to spot on the wire if this happens. You may think to reconfigure or not use programs like iTunes (but all 1337 hackers listen to techno MP3s while sniffing!) but you would be quite surprised at the amount of software that phones home for updates when you aren't looking.

Worse still are noisy operating environment components. Some common culprits include DHCP clients, various zero configuration protocols, network browsers, and ARP requests triggered by the above. Turn off or reconfigure as many of these services as possible if you are going sniffing. Depending on what operating system you are running, you can set things up so that you can switch to a now “location”, and have many of these services turned off at once.

When you think you have configured everything correctly, flip on your packet sniffer and watch your own traffic. See what is leaking. No packet should be beyond scrutiny. At least one popular file sharing client uses DNS requests to check for version updates. Its efficient use of the architecture of the Internet, but it makes leak checking just a little bit more difficult.

When are are set to go out in the world and do your deeds, remember the ninja. While ninja did wear all black when jumping from rooftop to rooftop at night, somehow I doubt that is what you will be doing. Good ninja hid in plain sight, indistinguishable from everyone else. If you are near a university, ratty jeans and t-shirts are acceptable. If you are in a ritzy neighborhood, where your khakis and a sweater. If you look like a computer geek and there is no LUG meeting in sight, you will be suspect.

No comments: