01-Promiscuous Mode 偵測
本文網址 : http://en.wikipedia.org/wiki/Promiscuous_modeIn computing, promiscuous (胡亂地) mode or promisc mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it — a feature normally used for packet sniffing.
Each packet includes the hardware (Media Access Control) address. When a network card receives a packet, it normally drops it unless the packet is addressed to that card. In promiscuous mode, however, the card allows all packets through, thus allowing the computer to read packets intended for other machines or network devices.
Many operating systems require superuser privileges to enable promiscuous mode. A non-routing node in promiscuous mode can generally only monitor traffic to and from other nodes within the same collision domain (for Ethernet and Wireless LAN) or ring (for Token ring or FDDI). Computers attached to the same network hub satisfy this requirement, which is why network switches are used to combat malicious use of promiscuous mode. A router may monitor all traffic that it routes.
Promiscuous mode is often used to diagnose network connectivity issues. There are programs that make use of this feature to show the user all the data being transferred over the network. Some protocols like FTP and Telnet transfer data and passwords in clear text, without encryption, and network scanners can see this data. Therefore, computer users are encouraged to stay away from insecure protocols like telnet and use more secure ones such as SSH.
Promiscuous mode is also used by transparent network bridges in order to capture all traffic that needs to pass the bridge so that it can be retransmitted on the other side of the bridge.
微軟工具
Promqry 1.0
Promqry is a command line tool that can be used to detect network interfaces that are running in promiscuous mode.
PromqryUI 1.0
PromqryUI can accurately determine if a modern (Windows 2000 and later) managed Windows system has network interfaces in promiscuous mode. If a system has network interfaces in promiscuous mode, it may indicate the presence of a network sniffer running on the system.
[注意]
• The tools cannot detect ''stand-alone sniffers'', for example, devices that are manufactured for the sole purpose of sniffing network traffic. These devices can use different types of hardware and software. • The tools cannot detect sniffers that are running on operating systems other than Windows 2000, Windows XP, Windows Server 2003, and later Windows operating systems. • The tools cannot remotely detect sniffers that are running on Windows-based computers where the network hardware has been modified specifically to avoid detection. For example, the hardware may be modified so that the network interface card or a network cable allows the computer to receive traffic from the network, but not to send traffic to the network. In this scenario, the computer receives a query to determine whether it has interfaces that are running in Promiscuous mode, but its response does not make it back across the network to the computer that sent the query. However, Promqry and PromqryUI can be used to query these computers locally, instead of remotely, to determine whether interfaces are running in Promiscuous mode.
實作
1. 啟動 Network Monitor, 並指定監控的網卡, 這片網卡會進入 Promiscuous mode
2. 啟動 PromqryUI, 輸入被監控網卡的 IP Address, 然後開始檢測
撥放 movie/tcpip/promiscuous.swf
沒有留言:
張貼留言