Tuesday, November 3, 2009

Detecting promisc mode using nemesis & wireshark

Most of the network sniffers programs has the ability to put the network interface in promiscuous mode and start sniffing all the traffic that flows through it (either it is destined to it or not). There are lot many tools out there that help you to detect network interfaces that are put on promiscuous mode. Here's a little trick that you can quickly perform to detect network interfaces that are running on promiscuous mode.

The tools that am using are,
Nemesis & Wireshark

Get your favourite OS loaded and have Nemesis and Wireshark downloaded (just google them you will be able to find them). Fire up Wireshark and have them capture the traffic in your local interface. Open up command prompt and type in the following command,

$ nemesis arp -S 10.10.10.103 -D 10.10.10.101 -M ff:ff:00:00:00:00
The above command will help using to generate arp packet with the source address 10.10.10.103 and destination address (machine that is running the interface on promiscuous mode) 10.10.10.101 and a destination MAC address ff:ff:00:00:00:00 (a fake broadcast MAC). Normally a machine shouldn't respond to this kind of packet, but a machine that is on the promiscuous mode is expected to respond to a packet like this.

If the target machine 10.10.10.101 is running a sniffer we will be seeing an response to the request that we sent in Ethereal like one below,



If the target is not running a sniffer then there will be no response from it. Because the packet will be already discarded at layer 2.


There are loads of other ways to find if there are machines that are on promiscuous mode within your subnet. One such tool that could help you is ETTERCAP with SEARCH PROMIS plugin. That uses the above technique to find network interfaces with promiscuous mode enabled on the network.
Tested on XP SP2.

2 comments:

  1. > The tools that am using are, Nemesis & Wireshark
    Please excuse my question, but for me it seems to be impossible to run the current version of WireShark (V1.4.4, pcap V4.0) together with Nemesis (V1.4, pcap V3.0.), because they require incompatible different version of pcap (packet.dll). How did you run that?

    Bye, Ralf

    ReplyDelete
  2. Ralf, from the looks I assume that you are on Windows? If so I'm sorry, I've never tried running nemesis on windows. I use it on Ubuntu... It's lot more easier for me to run them on Ubuntu instead of Windows.

    ReplyDelete