From owner-freebsd-questions Tue Apr 20 21:16: 2 1999 Delivered-To: freebsd-questions@freebsd.org Received: from allegro.lemis.com (allegro.lemis.com [192.109.197.134]) by hub.freebsd.org (Postfix) with ESMTP id 9265915127 for ; Tue, 20 Apr 1999 21:15:56 -0700 (PDT) (envelope-from grog@freebie.lemis.com) Received: from freebie.lemis.com (freebie.lemis.com [192.109.197.137]) by allegro.lemis.com (8.9.1/8.9.0) with ESMTP id NAA27962; Wed, 21 Apr 1999 13:43:28 +0930 (CST) Received: (from grog@localhost) by freebie.lemis.com (8.9.3/8.9.0) id NAA54385; Wed, 21 Apr 1999 13:43:28 +0930 (CST) Date: Wed, 21 Apr 1999 13:43:28 +091800 From: Greg Lehey To: gc Cc: FreeBSD Questions Subject: Re: Sniffers and Sniffer detection [General UNIX question] Message-ID: <19990421134328.M53374@freebie.lemis.com> References: <6C37EE640B78D2118D2F00A0C90FCB441A6090@site2s1> <19990420120647.J40482@lemis.com> <371C77B9.7319B632@virtual-pc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <371C77B9.7319B632@virtual-pc.com>; from gc on Tue, Apr 20, 1999 at 01:48:57PM +0100 WWW-Home-Page: http://www.lemis.com/~grog X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF 13 24 52 F8 6D A4 95 EF Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-41-739-7062 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >> When replying to this message, please copy the original recipients. >> For more information, see http://www.lemis.com/questions.html On Tuesday, 20 April 1999 at 13:48:57 +0100, gc wrote: > Greg Lehey wrote: >> >> On Monday, 19 April 1999 at 17:34:25 -0400, Christopher Michaels wrote: >>>> On Sunday, April 18, 1999 4:41 AM, Greg Lehey wrote: >>>> >>> >>> >>>>> 2. Is it possible to install a sniffer, in a user account (with no root >>>>> access), and sniff the network and watch for passwords? >>>> >>>> FreeBSD won't allow you to set promiscuous mode unless you're root. >>>> >>> >>> >>> This brought up a couple questions in my mind... >>> >>> 1. If the interface is already in promiscuous mode (I realize the >>> implication of this), is it possible for a regular user to use a sniffer >>> program? >> >> No, they still need to be root. The sniffer program sets promiscuous >> mode, it's not a separate step. >> >>> 2. How do you take the interface out of promiscuous mode once it's >>> in it? >> >> Close the last bpf device. In other words, stop the sniffer(s). > > Is it possible for a user or root to install sniffers if bpf support is > not compiled into the kernel, without changing the kernel? Currently, no. > (I'm thinking that if root had been compromised, would the naughty > guy be able to set promiscuous mode without kernel recompilation?) Theoretically with a kld version of bpf, but none exists at the moment. Of course, a sufficiently talented cracker might make a bpf kld (and call it something non-obvious), which would allow him to do that. Greg -- When replying to this message, please copy the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address, home page and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message