Date: Wed, 21 Apr 1999 13:43:28 +091800 From: Greg Lehey <grog@lemis.com> To: gc <gc@virtual-pc.com> Cc: FreeBSD Questions <questions@FreeBSD.org> Subject: Re: Sniffers and Sniffer detection [General UNIX question] Message-ID: <19990421134328.M53374@freebie.lemis.com> In-Reply-To: <371C77B9.7319B632@virtual-pc.com>; from gc on Tue, Apr 20, 1999 at 01:48:57PM %2B0100 References: <6C37EE640B78D2118D2F00A0C90FCB441A6090@site2s1> <19990420120647.J40482@lemis.com> <371C77B9.7319B632@virtual-pc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> When replying to this message, please copy the original recipients. >> For more information, see http://www.lemis.com/questions.html On Tuesday, 20 April 1999 at 13:48:57 +0100, gc wrote: > Greg Lehey wrote: >> >> On Monday, 19 April 1999 at 17:34:25 -0400, Christopher Michaels wrote: >>>> On Sunday, April 18, 1999 4:41 AM, Greg Lehey <grog@lemis.com> wrote: >>>> >>> <snip> >>> >>>>> 2. Is it possible to install a sniffer, in a user account (with no root >>>>> access), and sniff the network and watch for passwords? >>>> >>>> FreeBSD won't allow you to set promiscuous mode unless you're root. >>>> >>> <snip> >>> >>> This brought up a couple questions in my mind... >>> >>> 1. If the interface is already in promiscuous mode (I realize the >>> implication of this), is it possible for a regular user to use a sniffer >>> program? >> >> No, they still need to be root. The sniffer program sets promiscuous >> mode, it's not a separate step. >> >>> 2. How do you take the interface out of promiscuous mode once it's >>> in it? >> >> Close the last bpf device. In other words, stop the sniffer(s). > > Is it possible for a user or root to install sniffers if bpf support is > not compiled into the kernel, without changing the kernel? Currently, no. > (I'm thinking that if root had been compromised, would the naughty > guy be able to set promiscuous mode without kernel recompilation?) Theoretically with a kld version of bpf, but none exists at the moment. Of course, a sufficiently talented cracker might make a bpf kld (and call it something non-obvious), which would allow him to do that. Greg -- When replying to this message, please copy the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address, home page and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990421134328.M53374>