Snifffer in Network

Hi Guys,

I am a newbie in terms of telecom and network concept, how can I know if my network has a sniffer? or should I say there was an attacker (man in the middle).

Thanks in advance and more power!

regards,
Gagamboy

Hi gagamboy u are most welcomed to the house where everything u do depends on how u send and receive packets (lol). Welcome home.

U made mention on how u could know if ur network is been attacked or there is some kinda rogue access point planted in by some unauthorized personnel.


There are various tools IT pros use to know or identify rogue points or unwanted devices on their network but the one i use and it works for me is Network Magic (by pure networks).

u could install it on ur admin system or ur personal laptop and who ever joins ur network it alarms u (beep) it also carries information (mac address<most important>, IP address,etc) about the device which just joined ur network. its pretty tight.

note: in addition make sure ur firewall system is up and running. I THINK THIS IS THE FIRST STEP IN SECURING UR NETWORK.

Hi talk2sp thanks for your suggestion and for the warm welcome.

I suspect that my system/network has been "ARP poisoned" I am not sure of this, but my passwords has been compromised eventhough I did not exposed it to public.

Is there anything I can do to check and verify if my PC or network has been ARP poisoned?

There is one article I read, it is cain and abel software, it can enable ARP poisoining but I am unable to check if my system has been installed by cain, I tried to check the add/remove program and also the running process, still no success of detection of cain and able software.

thanks and regards,
Mark

"Work smarder not harder and be careful of yor speling"

Hi gagamboy, and welcome to the forums.

To check whether or not a PC is sniffing your network. You need to find a promiscuous node scanner. It's a peace of software that can detect LAN nodes that has been put on promiscuous mode. In order for any sniffer to operate, it has to put it's NIC into this mode.

PromiScan is one tool that can do this: www.securityfriday.com/products/promiscan.html

In short, ARP poisoning is a method used to be able to sniff switches. Since switches do not broadcast all traffic to all nodes, switches only send traffic to the correct MAC address device. ARP poisoning forges the ARP entries in your PCs such that your traffic is sent first to the attacker instead of you. Cain & Abel can indeed do ARP poisoning. In typical cases, the attacker will try to intercept traffic between you and your gateway (Router). To detect this case, try the following:

0. You need your gateway IP.
Say it's 192.168.1.1 in this example.

1. Get the MAC address of your gateway.
If you have access to the gateway/router console you can get this very easily. Otherwise, go to one of your OTHER PCs on the network and do this:

[code:1]C:\ ping 192.168.1.1[/code:1]

This makes sure the ARP entries are filled by the MAC of your gateway. Then:

[code:1]
C:\ arp -a
Interface: 192.168.1.104 --- 0x5
Internet Address Physical Address Type
192.168.1.1 00-28-19-2b-38-02 dynamic
192.168.1.250 00-1b-12-67-1c-F2 dynamic
[/code:1]

As you can see, the MAC address of our gateway is 00-28-19-2b-38-02.

2. Do step 1 but on your own PC.
"Ping 192.168.1.1" then "arp -a" on your own PC. If the MAC for 192.168.1.1 shown to you this time is NOT exactly the same as the real MAC of your gateway (00-28-19-2b-38-02 in this example). Then you have been ARP poisoned. And the other MAC shown for 192.168.1.1 is the attackers MAC.

Note: If the other PC was also ARP poisoned, This procedure will NOT work. You will have to get the real MAC of your gateway. Only then you can compare.

Seems to me that S0lo has provided solution to ur ARP poisoning as a newbie i just pray you can walk tru. in case u have any problems with the steps 'Uncle' S0lo put up feel free to ask...

G boy u spoke like u suspected something on ur system. when u checked ur add / remove and u did not see it......... if u still suspect there is something on the system and u are not sure where to find it try this >>

Start>Run>REGEDIT. When the registry editor window opens u should see Edit [the second menu top right] click on find and type what u suspect (Cain.....) if u did not see it @ add / remove u will surely see it registered in the windows registry.

If u are not still sure u could download and install Spy Bot S&D.

S0lo nice one there.

Hi Guys,

Thanks for the info. but i can't get the mac address of our gateway, is there any way I can get this? I believe it is the ethernet interface of router in our network.

I am now trying to search for a cain in registry. Hope this will work.

Thanks guys.