Unhealthy Sniffing 49
Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."
other uses than spying. (Score:5, Informative)
just this spring had to use ethereal on one networking course to follow ethernet packets, which computer was asking what from who, how the router affected the packets and how a hub is different from a switch(all and all quite basic stuff but still it was quite useful for gaining insight to the different protocols in real world like situation)..
how about the windows port?
Re:other uses than spying. (Score:5, Informative)
Re:other uses than spying. (Score:2)
Re:other uses than spying. (Score:1)
Same here... althought my idea of "significant traffic" is new pr0n sites that the comptroller hasn't told be about yet..
Re:other uses than spying. (Score:1)
I was surprised to learn that a Windows port of Ethereal was packaged and deployed to our shared apps installation environment. Surprised because we're a pretty large and conservative company, and non-computer types are quick to find the potential downsides to a tool and categorize it as evil before the good side can be seen.
Anyways, Ethereal has been very helpful for exploring a variety of problems w/the different software we fool with. This gives us
passive scanner (Score:1)
Re:passive scanner (Score:4, Interesting)
I imagine that the right way to do passive wifi scanning would require support from your driver and hardware, to ensure that you were not transmitting any packets at all.
And no, I don't know anything about Ethereal. I'll shut up now.
Re:passive scanner (Score:3, Interesting)
Yea, but a common way to configure the sensors is to have one side plugged into the "trusted" internal network and the other side as an un-addressed interface in promiscuous mode. Ideally this would prevent someone on the outside from ever hopping into your internal LAN, but even if you cut the tx leads, the recent vulne
Re:passive scanner (Score:5, Informative)
Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.
In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.
(I write network analysis software for a living)
Re:passive scanner (Score:5, Funny)
I write VB front ends to SQL databases for a living.
I'm going to go with you on this one.
+1 Poor Bastard (Score:2, Funny)
Re:passive scanner (Score:1)
Re:passive scanner (Score:3, Informative)
It's true that you can't just cut the tx wire, but you _can_ rig it so a hub can see it but no xmit will occur.
Search google for "sniffer +stealth". There is a site with plans to build a non-transmitting cable. It also discusses the theory of how it works. (I can't verify a link because those kinds of sites are blocked here at work.) It involves cutting _on
Re:passive scanner (Score:3, Informative)
In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic w
Re:passive scanner (Score:1, Informative)
Take four RJ-45 jacks and straight connect all eight pins on two of them. Then take pins 1 & 2 from one jack and connect to pins 3 & 6 on one of the unused jacks. That's Tap Port 1 and will only see data running one direction on the wires. Now take the other fully-wired jack and connect pins 3 & 6 on that one to pins 3 & 6 on the remaini
Re:passive scanner (Score:1)
Ettercap (Score:4, Interesting)
Short Description:
Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Re:Ettercap (Score:1, Informative)
And what? List it's buffer overflows? You aren't saying it exploit free, are you?
A patched Ethereal will be out in a few days. I think you'd be better off with that.
Not the worst thing in the world (Score:4, Insightful)
Privilege separation (Score:1, Insightful)
Re:Privilege separation (Score:3, Interesting)
Then, as a non-root user, I pull the data into ethereal.
I do this because the network is over a thousand miles away and the machines don't even have X on them... so... I capture remotely and then look at the data on my workstation.
Re:Privilege separation (Score:1)
But it's straight up.
We do have X, and KDE even. All the good it does us...
Re:Privilege separation (Score:2)
I wonder if linkcat might be safer - it might not do as much parsing as tcpdump.
http://www.doxpara.com/read.php/docs/lc_logs.ht
Wardriving (Score:4, Interesting)
This is very unfortunate (Score:4, Insightful)
On the other hand, 13 vulnerabilities isn't too terrible and hopefully they'll get them patched up straight away. I'm sure that your average commercial packet sniffer probably is probably just as bad or worse, and those bugs aren't getting fixed.
Re:This is very unfortunate (Score:3, Insightful)
That isn't the case.
This is just another step in making the product even better than it already is...
Ethereal the new Sendmail (Score:2)
Really, it's amazing that software like Ethereal, intended as a security tool, wasn't written with a bit more care and attention to avoid buffer overflows and similar causes of exploits. Normally one would expect something that needs to run as root and accept arbitrary data from the network interface to be written with extra caution and paranoia.
Why don't distros use buffer overflow protection? (Score:5, Interesting)
Thanks to ProPolice on OpenBSD, these stack overflows will only lead to a crash, not a root exploit on this OS.
Gentoo has a project called "Hardened Gentoo" where the stack overflow would just chrash the Ethereal.It's time the bigger Linux distros implement similar technology (that exist as PaX).
Dynamic compilation? (Score:1)
WX protection (can't execute in areas of write perm/ vice-versa)
How does this work with programs that dynamically compile things, such as a virtual machine for Sun's Java platform?
Unhealthy sniffing? (Score:1)
Did they give the maintainers a heads up? (Score:1)
Re:Did they give the maintainers a heads up? (Score:5, Informative)
So, yes, they did let them know, and the holes have already been fixed.
Re:Did they give the maintainers a heads up? (Score:3, Informative)
Disclosure Timeline
5 March 2004
Ethereal developers were contacted by email telling them about 10(of the 13) holes. 6 holes were closed the same day EIGRP, IGAP, ISUP and BGP.
7 March 2004
IRDA hole closed (after checking specs)
8 March 2004
PGM hole closed (after checking specs)
9 March 2004
NetFlow hole closed (after checking specs)
17 March 2004
UCP holes were discovered and mailed to vendor
19 March 2004
UCP and TCAP holes closed (after checking specs)
22 March 2004
Ethereal developers have r
Congrats to Ethereal team for quick resolution (Score:4, Insightful)
The bottom of the advisory states that they were made aware on the 5th of March, and by the 23rd of March all the holes were fixed.
Re:BUT WHERE CAN I GET IT? (Score:1)
I just use this filter: (Score:5, Funny)
Re:I just use this filter: (Score:1)
Ulrik
The up side (Score:1, Funny)