3

As an attacker,how do I prevent people from finding out that my NIC is in promiscuous mode? For test like ARP and DNS how do I defeat the users detection mechanism?

faraz khan
  • 329
  • 2
  • 12
  • For DNS this is quite trivial since all security tool usually offer an option to disable DNS names resolution, so they will just show IP and no DNS name (or you may also use a non-default DNS server if you just need to hide from the default DNS server). ARP checks relying on the underlying OS behavior might be trickier... – WhiteWinterWolf Jun 03 '15 at 12:36
  • 1
    @ρss mentioned this answer: http://security.stackexchange.com/a/3631/18379 It partially answers this question. – domen Jun 03 '15 at 13:16

2 Answers2

3
  1. There is a possibility that Promiscuous mode can be detected by another device on the network!
  2. You can/must configure your sniffer tool/software so that it doesn't allows to detect if you are in promiscuous mode. For that you have to configure your sniffer tool so that your machine doesn't reply to the packets/requests that are usually used to detect the Promiscuous mode. Here you can read how the promiscuous mode can be detected. However the feature, that not to respond to the requests(Specially crafted packets to determine the promiscuous mode) depends if it is available in your sniffer tool.
Community
  • 1
ρss
  • 344
  • 2
  • 8
1

Promiscuous mode is a passive state so it cannot be detected by the network on its own. Of course once you start doing your "hacking" actively, the network may detect you but that wouldn't be detection of promiscuous but rather a rogue node.

Why? In passive mode the NIC just doesn't drop the packets that would come to it anyway. The dropping is silent so in any case there is no feedback to the network.

cptMikky
  • 455
  • 2
  • 5
  • 1
    When the interface is in promiscuous mode, the packets which should normally be filtered by the hardware NIC are now filtered by the OS software network stack. It happens that the hardware and the software filtering may differ, allowing to detect remotely when a network card is in promiscuous mode or not. See [Detection of Promiscuous Nodes using ARP Packets](http://www.securityfriday.com/promiscuous_detection_01.pdf) for further reference. – WhiteWinterWolf Jun 03 '15 at 12:27
  • Interesting reading, albeit a bit outdated. Since the method basically says there is a bug in the kernel, it would be worth checking if Mallory's kernel indeed responds to these decoy packets. I'm gonna try this sometime, looks quite interesting. – cptMikky Jun 03 '15 at 15:33