how can you detect these sniffing interfaces?

During the intelligence gathering phase of a penetration test, you come across a press release by
a security products vendor stating that they have signed a multi-million dollar agreement with the
company you are targeting. The contract was for vulnerability assessment tools and network
based IDS systems. While researching on that particular brand of IDS you notice that its default
installation allows it to perform sniffing and attack analysis on one NIC and caters to its
management and reporting on another NIC. The sniffing interface is completely unbound from the
TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing
interfaces?

During the intelligence gathering phase of a penetration test, you come across a press release by
a security products vendor stating that they have signed a multi-million dollar agreement with the
company you are targeting. The contract was for vulnerability assessment tools and network
based IDS systems. While researching on that particular brand of IDS you notice that its default
installation allows it to perform sniffing and attack analysis on one NIC and caters to its
management and reporting on another NIC. The sniffing interface is completely unbound from the
TCP/IP stack by default. Assuming the defaults were used, how can you detect these sniffing
interfaces?

A.
Use a ping flood against the IP of the sniffing NIC and look for latency in the responses.

B.
Send your attack traffic and look for it to be dropped by the IDS.

C.
Set your IP to that of the IDS and look for it as it attempts to knock your computer off the
network.

D.
The sniffing interface cannot be detected.

Explanation:
When a Nic is set to Promiscuous mode it just blindly takes whatever comes
through to it network interface and sends it to the Application layer. This is why they are so hard to
detect. Actually you could use ARP requests and Send them to every pc and the one which
responds to all the requests can be identified as a NIC on Promiscuous mode and there are some
very special programs that can do this for you. But considering the alternatives in the question the
right answer has to be that the interface cannot be detected.



Leave a Reply 1

Your email address will not be published. Required fields are marked *