4

I have read that we can detect whether a system is running promiscuous mode by sending out an ARP request with a fake broadcast address e.g FF:FF:FF:FF:FF:FE.This will be blocked by all NIC's operating in normal mode but will be allowed by NIC operating in promiscuous mode and thus it will respond to the message.But I am a bit confused:

1.Won't the system in promiscuous mode respond to the ARP request only if it's IP matches the IP in the target(destination) field of the ARP request packet.

2.If we were to go by the above logic then all the systems will respond to an ARP(broadcast)request packet since it would pass through the Hardware filter(NIC).

3.Suppose only that system in promiscuous mode responds to the fake broadcast ARP packet which has the same IP as that in the ARP (request) packet destination field,then how do we find all systems(on that subnet) operating in promiscuous mode,without targeting a particular IP.

Thanks

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
faraz khan
  • 329
  • 2
  • 12
  • 1
    possible duplicate of [How to find out that a NIC is in promiscuous mode on a LAN?](http://security.stackexchange.com/questions/3630/how-to-find-out-that-a-nic-is-in-promiscuous-mode-on-a-lan) – KDEx Jun 10 '15 at 03:29
  • 1
    I don't think the question is a duplicate, since ARP tests are briefly mentioned on the other page but Faraz here is asking specifically about how/why the ARP test approach works. Faraz, I've modified the question title to better explain the difference. – Steve Dodier-Lazaro Jun 10 '15 at 12:36
  • If I wanted to sniff and furthermore wanted not to get caught, I'd modify the ethernet driver to simply turn off any transmission to the net while in promiscious mode. That turns off name resolution (and other things for other processes), but resolution can be done later. – ott-- Jun 10 '15 at 13:46

1 Answers1

1

It is at first a little counterintuitive, as the Ethernet address is a 'fake' broadcast address, but the test itself is not a broadcast test. It is targeted at only the destination IP address. You would need to target each individual IP on your subnet, ie do a scan.

However note that it is relatively easy to not be detectable, by using a Lan Tap. It effectively connects the sniffer in parallel to another device but has the Transmit wire disconnected (ie it is not possible for monitoring device to respond to anything).

For further reading: http://www.securityfriday.com/promiscuous_detection_01.pdf

pflodin
  • 396
  • 2
  • 3