|
The Project:
First up on the chopping block is AASS. For those of you who follow
BugTraq, you may
remember the l0phat antisniffer.
Basically, l0pht released a program designed
to detect ethernet sniffers on a LAN using several clever techniques, but not
clever enough. I was bored late one night at the
NCSA when I was reading their
announcement, and decided I'd spend the night defeating their program. Normally
I would have just went home, but when I realized that I could call my program
The
AntiAntiSniffer Sniffer, I couldn't resist. I rushed through the night and
eventually came up with something that in theory, defeated all of their
methods of sniffer detection, 3 days before they actually released the
detector.
A few months later, I decided I might as well make the sniffer a bit
more portable at the request of some friends, so I ported it to use
libpcap.
By this time, I was very familiar with networking protocols, and realized I
could write a helper program for aass that would defeat "automatic" ethernet
switches. I got the program (called AntiSwitch) to a point where it would
route most of the traffic in my building through my port. However,
unfortunately I lived in a building that was partially switched, and other
machines on the same broadcast section as me would complain about another
ether address stealing their IP. I came up with a method to detect which IP's
were "local" and which were switched, but there still are some bugs,
and it doesn't work all the time.
Why it went unfinished:
So why didn't I finish this kickass little util? Well, as it turns out, I
suspected that some of the bugs that I was having were related to problems in
my hash table code. Specifically memory corruption, stray pointers, memory
leaks, etc. I needed a general purpose, FAST (I had to keep up with network
traffic even while debugging; after all, while running this program I AM the
network :), and lightweight malloc debugger. Unfortunately, I couldn't find
one that met all my needs. So I did what any self respecting
hacker
would do: I wrote my own.
So since then (that was about January 2000), I've been devoting my time to
making NJAMD kick ass.
Hints on getting it to work:
You will need libpcap of course.
But I also modified it using the Linux socket filter to not give me packets
that I sent out. I needed to do this because I of course reroute packets so
that everything passes through my port of the switch. Obviously I don't want
to record that shit with the sniffer program. Changing this is like a one line
fix (and possibly a cast to a different socket header type) in the part of
libpcap where it pulls packets off the wire. I lost my modified version of the
library unfortunately. I guess this will have to serve as pretty strong
script kiddie repellent tho :)
Also, the way I do things with packet casting and such pretty much limits
you to an ix86 Linux box (alignment issues will cause problems, I expect). If
you get this thing to work on even another arch of Linux, I'd be very
surprised.
Will I ever finish & what to expect:
Doubtful. Ettercap has a
nice architecture to do all this stuff. It, combined with ethereal, are pretty
much a solid pair. Unfortunately, it appears that I am obsolete.
The Code
|
Operation Incomplete!