L0pht AntiSniff Product Review

Back to the Lab

              Product: L0pht AntiSniff
              Version: Beta 2
               Vendor: L0pht Heavy Industries (http://www.l0pht.com)
       Vendor Contact: antisniff@l0pht.com
                       http://www.l0pht.com/antisniff/
Platform(s) Supported: Microsoft Windows 95, 98, NT
  License/Source Code: No Windows source code available. Beta is freeware
                       that expires in September. Unix version (not reviewed) is
                       freeware for research and includes source code.
              Pricing: Win 9x/NT $350.00 per copy, 10-pack license is
                       $2800.00. Site licensing available.

     Test Platform(s): IBM Thinkpad 600 64MB RAM Windows NT 4.0 SP3
                       Dual Pentium 64MB RAM Windows NT 4.0 SP4

Background

AntiSniff is network card promiscuous mode detector. It works by sending a series of carefully crafted packets in a certain order to a target machine, sniffing the results, and performing timing tests against the target. By measuring timing results and monitoring the target's responses on the network, it can be determined if the target is in promiscuous mode, i.e. sniffing the network.

One weapon in a network intruder's arsenal is sniffing -- placing a network card in promiscuous mode for the purpose of gathering account names and passwords. The intent of the sniffing intruder is to further the penetration into the invaded network, and potentially gain access to other networks. Detecting a network card in promiscuous mode is a good way to determine if your computer network has been compromised, but until recently you had to have direct access to the computer system with the network card. Even then it is possible that the intruder might have replaced some of the tools an administrator might use with trojan versions that mask easy detection of the sniffing.

Until recently it was thought that remote promiscuous mode detection was impossible. Several people created theories, and the Apostols (http://www.apostols.org/) released NePED, a tool that uses forged arp packets to determine network card promiscuity. But in AntiSniff, the L0pht have created a product that pulls together all known techniques and theories and packaged it up into a nice, neat GUI that is quite accurate.

Advantages/Disadvantages

We of course tested the product to ensure that it performed as stated, which it did without flaw. We will not discuss basic product functionality, as NMRC is mainly concerned with the security ramifications of using the product. Here is a list of the main advantages to using AntiSniff:

• Accurate detection of promiscuous mode Ethernet cards.
• Alerts sent via email -- also includes visual and audio alerts.
• AntiSniff sessions can be stored for later use/analysis.

Here are the main disadvantages to using AntiSniff:

• The NT version is not a good player with other applications. Because of the nature of the product, running at a high priority level plus updating the status screen, the performance of other applications on the same system is drastically impacted. Ideally this means that you should expect to dedicate a machine to running AntiSniff, or at least not expect to surf the net and type a Word document with AntiSniff in the background. AntiSniff isn't a background kind of app. This isn't a flaw per se, but kind of the nature of a product whose design includes running high priority AND updating its screens.
• Can only work properly checking ethernet cards on the same segment as the system running AntiSniff. Again, this is not a flaw, but due to the nature of networking in general. It will work in a switched environment with a smart hub (read on for details).
• No SNMP support.

Technical Details

We installed AntiSniff on a fairly stock NT 4.0 workstation with Service Pack 3 loaded. Taking the defaults, you end up with "C:\Program Files\L0pht AntiSniff" being the location of all of the files. The Registry settings, all located by default at HKEY_CURRENT_USER\L0pht\AntiSniff contain the value of the Recent File List and Settings.

The AntiSniff.EXE file is 733,184 bytes is size. When loaded into memory it takes up 753,664 bytes of memory, and hooks into the following DLLs:

• ADVAPI32.DLL
• COMCTL32.DLL
• COMDLG32.DLL
• CWBAUDLL.DLL
• GDI32.DLL
• KERNEL32.DLL
• MSVCRT.DLL
• NTDLL.DLL
• OLE32.DLL
• OLEAUT32.DLL
• OLEDLG.DLL
• OLEPRO32.DLL
• RPCLTC1.DLL
• RPCRT4.DLL
• SHELL32.DLL
• USER32.DLL
• WINMM.DLL
• WINSPOOL.DRV
• WS2_32.DLL
• WS2HELP.DLL

Usage of the above DLLs is typical of a Microsoft Visual C++ program. Memory usage was stable with no memory leaks. Initial loads of the program reveiled a modest 1.7MB of memory used. Memory usage varied in subsequent runs by as much as 1MB, however the increases and decreases were proportionate.

During our testing we examined several Ethernet segments at a large Fortune 500 company. All promiscuous devices that were supposed to be running were detected. It should be noted that you should take a "baseline" scan of the network with no suspected sniffers running and follow this up with a scan for sniffers. To determine if a device is in fact sniffing, you need to compare a device's normal behavior with promiscuous mode behavior. For example, scanning of an IDS system or NAI's Sniffer Pro while the device is "idle" will establish a baseline, while subsequent scans will detect the sniffing in action.

People in switched environments can also use AntiSniff. You might ask yourself why someone would want to check that, but it is possible that an intruder who compromises a machine may not have any idea that the compromised machine is in a switched environment. Most hubs have the capability to set up either a backplane or a special port that gets "all the traffic", and AntiSniff will work there as well. Granted, this isn't as easy as it seems, but if your networking people can set up SnifferPro on a switched hub to sniff all traffic, then they can probably set up AntiSniff in this environment as well. YMMV.

The frequency of AntiSniff's scans is up to you, but should be determined based upon the particular segments you are watching. R&D servers or the DMZ might be good candidates for a scan every 15 minutes, while segments with lower risk resources might be checked only once a day.

The only thing that we were disappointed with was the lack of SNMP reporting as a notification method. To fully automate the product we recommend using email notification to a secure box, and have that secure box generate the appropriate SNMP notifications based upon the mail message received.

Conclusion

This is not a simple product. Knowledge of networking is required to get the maximum value out of the product. It is important to get a good baseline before using the product to detect promiscuous networking devices. This is similar to products such as Tripwire -- if you establish a baseline of your binary files and one of those binaries is a Trojan, Tripwire will not detect it, as it only detects changes after the baseline. Major (and possibly even minor) networking changes can alter the validity of the AntiSniff baseline, so periodic baselining is recommended to prevent false positives.

AntiSniff does receive the NMRC Hacker Seal of Approval. It works as advertised, and it definitely adds a new dimension to intruder detection.