Anti Packet Sniffer Software

[Guest]

We are running win2k on all or workstations. Many of the
developers and techs have local admin access to some of
the workstations (it is necessary for their jobs). We have
been running into problems with some employees installing
packet sniffers (Ethereal, Sniffer Pro, Etherpeak) on
their workstations and sniffing passwords off the LAN.

Is there any kind of "anti-sniffer" software that will
find computers running packet sniffers on a LAN? I know
that L0pht industries used to make a product called
Antisniff but it only runs on Windows 95/98 and Windows
NT, not Windows 2000.

 

[Robert Moir]

We are running win2k on all or workstations. Many of the
developers and techs have local admin access to some of
the workstations (it is necessary for their jobs). We have
been running into problems with some employees installing
packet sniffers (Ethereal, Sniffer Pro, Etherpeak) on
their workstations and sniffing passwords off the LAN.

Is there any kind of "anti-sniffer" software that will
find computers running packet sniffers on a LAN?

Nothing that I'd want to bet my secure passwords on, no. You can do things
like use another packet sniffer to detect NICs that are in "promiscuous"
mode, which is a fair sign, but this isn't 100% reliable.

With respect, I don't think you have a technological problem that requires a
technological solution. You have a behavioural problem that requires a
behavioural solution.

If you have the sort of workplace culture that makes people believe its ok
to install sniffers and grab (and presumably, use) passwords from the
network then even if you found an anti-sniffer package that you felt WAS
good enough, these people would either work on defeating it or find another
way to screw around.

If you have an "acceptable use policy" then it should promise ritual
floggings.. er.. firings for people caught abusing the system in a serious
way. I'd suggest putting this into action.
If you don't have an AUP that allows you to control your own network then
this is 2004 calling, you need to get one. And then use it.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

 

[Skorpion (CET)]

We are running win2k on all or workstations. Many of the
developers and techs have local admin access to some of
the workstations (it is necessary for their jobs). We have
been running into problems with some employees installing
packet sniffers (Ethereal, Sniffer Pro, Etherpeak) on
their workstations and sniffing passwords off the LAN.

Is there any kind of "anti-sniffer" software that will
find computers running packet sniffers on a LAN? I know
that L0pht industries used to make a product called
Antisniff but it only runs on Windows 95/98 and Windows
NT, not Windows 2000.

Alternatively, scan each machine on the LAN to discover *all* installed
software; any unapproved software is to be removed and subsequent re-
installations will be dealt with according to existing policy (or, put policy
in place).

These are folks that are proving they cannot be trusted. Deal with them as
such...

 

[Joe Richards [MVP]]

First off you should be using switches in a business, with switches the
network sniffers on workstations become a lot less useful. Plus shared hubs
on office networks are horrible as they saturate quickly and cause PCs to
work harder than they need to.

If you are still getting passwords being visible on the network when using
switches you need to figure out why you do, that isn't good because either
someone is broadcasting them, multicasting them, or running an app on the
local machine that is authenticating in the clear.

joe

 

[Guest]

All of the advice is good and I thank everyone for it
but, I am not in a position to just replace all of our
hubs with switches, the money to do that just isn't
there.
Also, we do have an acceptable use policy but it is not
enforced. I sadly do not have the authority to enforce it
and management is not interested in seeing it enforced.
We have well over 400 workstations so checking each one
of them daily for illegal software like sniffers is a
hassle but it looks like that might be the only solution.
I am working on a script that will look for installations
of Etherpeak, Ethereal, etc. Then maybe I'll create
another script that will automatically remove these
software when they are detected.

 

[Marco]

AFAIK Anitsniff only checks if the WinpCap driver is installed .. so, in my
opinion, is not of much use.

for what concerns local admins access there is an alternative solution that
you may want to consider: NeoExec from NeoValens. It allows you to define
which apps must run with elevated privs while users run with regular privs
... and, this is not yet another variation of the RunAs theme. Developers can
be secured ...

 

[Robert Moir]

AFAIK Anitsniff only checks if the WinpCap driver is installed .. so,
in my opinion, is not of much use.

for what concerns local admins access there is an alternative
solution that you may want to consider: NeoExec from NeoValens. It
allows you to define which apps must run with elevated privs while
users run with regular privs .. and, this is not yet another
variation of the RunAs theme. Developers can be secured ...

But as the problem with the developers sounds like a political issue rather
than a technical one, I'm betting it won't happen that way.

Shame, too.

 

[Ron Lowe]

Is there any kind of "anti-sniffer" software that will

Nothing that I'd want to bet my secure passwords on, no. You can do things
like use another packet sniffer to detect NICs that are in "promiscuous"
mode, which is a fair sign, but this isn't 100% reliable.

Indeed.

( Agree 100% this is a people problem, not a technology problem. )

My diagnostic sniffing kit is an old laptop with ethereal on it,
and an old hub.

I use the hub to patch in to the segment-under-test, and
provide a drop to the laptop.

Now, to prevent the sniffing laptop from interfering in any way
with the network under test, I have a special patch cable between
the laptop and the hub.

It does not have the TX pair connected. Only the RX pair.
It can never originate anything.
It can never reply to anything.
Now, *that's* stealth.

No software can ever detect that machine.