[TriLUG] Promiscuous mode on open network (nc.rr.com)?

Ryan Leathers ryan.leathers at globalknowledge.com
Wed Jul 2 10:28:51 EDT 2003


No. That particular exploit I mentioned is precompiled and assumes X is
running.  Keep in mind that as with any buffer overflow you can run
arbitrary code with the privileges of the application/service you are
exploiting.  So, if you wanted the exploit to <$DO_NASTY_THING> you'd
just need to edit the source.

If you want source for this start googling.  I don't share this sort of
thing. If you want to see it in a lab environment come out and see me in
Apex.
  

On Wed, 2003-07-02 at 10:13, David R. Matusiak wrote:
> what if there is no X running on the target system?
> 
> can you still pull up a remote xterm on your attack box?
> 
> On Wednesday, July 2, 2003, at 09:54  AM, Ryan Leathers wrote:
> 
> > I hate to always be the naysayer about this sort of thing, so I was
> > holding off looking for someone else to comment thusly:
> >
> > The common wisdom is that the network based (not host based) IDS should
> > be transparent.  When putting the NIC in promiscuous mode you will also
> > be taking care to not bind an IP address, and obviously there will be 
> > no
> > listening services.  This sort of network based IDS is transparent 
> > which
> > makes it more powerful / dangerous depending on your perspective.
> >
> > Consider what could happen if you had an IP address bound to a NIC that
> > was in promiscuous mode.  The host could be reached, and the NIC would
> > accept everything on the wire.  This is a rootkit waiting to happen.  I
> > have in my bag of tricks some binaries for those occasions when I
> > discover an unauthorized IDS on my network.  One nifty example is a
> > tcpdump exploit which returns an xterm from the target to my attack
> > box.  Its accomplished through a buffer overflow of tcpdump.  This
> > particular exploit is only possible because of the combination of three
> > factors: tcpdump is running, the NIC is in promiscuous mode, an IP
> > address is bound to this NIC. Also note that I generally get the xterm
> > back as root.  (Yes, similar exploits exist for other applications 
> > which
> > use promiscuous mode... and yes the original tcpdump BO exploit was
> > patched with 3.6.1 but the subsequent BO2 sploit is still zero day to 
> > my
> > knowledge)  The point is DON'T put interfaces you care about in
> > promiscuous mode unless they are transparent.
> >
> >
> > The matter of what will be seen on the wire (what a provider filters,
> > what gets matched, what you care to see) is a separate concern
> > altogether, but just as important.  This idea got some earlier 
> > responses
> > so I'll leave it alone.
> >
> > Ryan
> >
> > On Tue, 2003-07-01 at 10:56, lfwelty wrote:
> >> Hi all,
> >>
> >> I'm setting up ntop and snort to watch what's coming at (and
> >> through) my firewall. Their are options to run without enabling
> >> promiscuous mode on the monitored NIC, but it would be interesting
> >> to see what's floating by.
> >>
> >> Has anyone done this on their isp's net?
> >> Or nc.rr.com in particular?
> >>
> >> Did you have any problems?
> >> Has anyone's isp scanned for nic's in promiscuous mode?
> >>
> >> Thanks,
> >>
> >> F.
> > -- 
> > Ryan Leathers <ryan.leathers at globalknowledge.com>
> > Global Knowledge
> > <signature.asc>
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/faq/TriLUG-faq.html
-- 
Ryan Leathers <ryan.leathers at globalknowledge.com>
Global Knowledge
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030702/4d562208/attachment.pgp>


More information about the TriLUG mailing list