Sentinel Author: bind bind@subterrain.net Version: 0.9 Description: The Sentinel project is designed to be a portable, accurate implementation of all publicly known promiscuous detection techniques. Sentinel currently supports 3 methods of remote promiscuous detection: The DNS test, Etherping test, and ARP test. Support for the ICMP Ping Latency test is under development. Methods: The DNS Test Status: Completed In this method, we create numerous fake tcp connections on our network segment, expecting a poorly written sniffer to pick up on those connections and resolve the ip addresses of the nonexistent hosts. When this occurs, Sentinel sniffs the dns request to see if the target is the one requesting resolution of that nonexistent host. The Etherping Test Status: Completed This method relies on a problem in the target machine's kernel. In this method we send an icmp echo packet to the target with the correct destination ip address, but a bogus destination hardware address. Most systems will disregard this packet since its hardware address information is incorrect, but in some Linux, NetBSD and NT systems, will since in promiscuous mode, grab this packet off the network as a legitimate packet and respond accordingly. If the target in question replies to our request, we know it is in promiscuous mode. The Arp Test Status: Completed This method involves sending out an ARP request to our target with all valid information except a bogus destination hardware address. A machine that is not in promiscuous mode would never see the packet, since it wasn't destined to them, therefore it wouldn't reply. If a machine is in promiscuous mode, the ARP request would be seen and the kernel would process it and reply. By the machine replying, we know it is in promiscuous mode. The ICMP Ping Latency Test Status: Under Development In this method, we ping the target and note the round trip time (RTT), from there we create hundreds of fake tcp connections on our network segment at a lighting rate. We expect the sniffer to be processing those packets at a rate where the target machine's network latency will increase. We then ping the target once again, and compare the RTT this time to the first time. After a series of tests and averages, we can conclude whether or not a sniffer is indeed running on the target. Usage: ./sentinel [method] [-t ] [options] Methods: [ -a ARP test ] [ -d DNS test ] [ -i ICMP Ping Latency test ] [ -e ICMP Etherping test ] Options: [ -f ] [ -v Show version and exit ] [ -n ] [ -I ] Examples: ./sentinel -a -t 192.168.1.2 Perform the ARP test against 192.168.1.2 ./sentinel -d -f 1.1.1.1 -t 192.168.1.2 Perform the DNS Test agsinst 192.168.1.2 ./sentinel -e -t 192.168.1.2 Perform the Etherping test against 192.168.1.2 Platforms: OpenBSD 2.7 (primary development platform) FreeBSD 4.x NetBSD 1.4.1 Linux 2.2.x