Announcement

Collapse
No announcement yet.

how to catch/block a sniffer on my network!!?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • how to catch/block a sniffer on my network!!?

    hi all! users on my network usualy use yahoo to communicate one with the other, lately it came to my attention that some of those users are using sniffers to detect passwords on our lan and yahoo conversations and such private info. is there a way to block such sniffers?! our topology has a low security level theres our private network- cisco 2811 router- internet. any help would be appreciated..

  • #2
    Re: how to catch/block a sniffer on my network!!?

    Originally posted by silent View Post
    lately it came to my attention that some of those users are using sniffers to detect passwords on our lan and yahoo conversations and such private info.
    How exactly did this come to your attention? Do you know who is doing this? If so, document your suspicions and bring this to the company's leadership immediately!

    Originally posted by silent View Post
    is there a way to block such sniffers?!
    A sniffer is passive, so there really isn't much you can do unless you have a software management system in place that can detect what applications are on a user's computer. If you use Active Directory, you could put software restriction polices in place. To detect if and where these applications are installed, I think you can use the Application Compatibility Toolkit that Microsoft provides to do a network based scan of client machines for software titles. Even thought the utility is intended to be used to see if a Windows based computer is ready to be upgraded to Vista, you can still use it for other purposes. If you find any sniffers installed, bring it to the management and let them take care of the employee.

    Originally posted by silent View Post
    our topology has a low security level theres our private network- cisco 2811 router- internet. any help would be appreciated..
    A sniffer will only work to capture someone else's data in the following scenarios:
    • The network is using hubs rather than switches
    • The network utilizes wireless in some form
    • A user has gained control over a switch or router and has mirrored ports to the port that their own computer resides on.
    • A sniffer has been installed on the victim's computer and is logging data that will later be retrieved by the attacker.


    Which of these scenarios do you think you are dealing with? It would help if you could describe how you realized that this was going on.

    Keep us posted!
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: how to catch/block a sniffer on my network!!?

      Originally posted by Nonapeptide View Post
      A sniffer will only work to capture someone else's data in the following scenarios:
      • The network is using hubs rather than switches
      • The network utilizes wireless in some form
      • A user has gained control over a switch or router and has mirrored ports to the port that their own computer resides on.
      • A sniffer has been installed on the victim's computer and is logging data that will later be retrieved by the attacker.
      Not quite, any old network can be sniffed by just plugging in to any port. see here for a longish but excellent read.
      "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

      Comment


      • #4
        Re: how to catch/block a sniffer on my network!!?

        As an adition you can use ipsec to encrypt the data.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: how to catch/block a sniffer on my network!!?

          Originally posted by Lior_S View Post
          Not quite, any old network can be sniffed by just plugging in to any port. see here for a longish but excellent read.
          he did mention hubs
          ________
          SUZUKI MADURA HISTORY
          Last edited by DYasny; 6th March 2011, 19:17.
          Real stupidity always beats Artificial Intelligence (c) Terry Pratchett

          BA (BM), RHCE, MCSE, DCSE, Linux+, Network+

          Comment


          • #6
            Re: how to catch/block a sniffer on my network!!?

            Originally posted by DYasny View Post
            he did mention hubs
            not sure what your intending to say, but let me clarify my point to mean that regardless of hub/switch, port mirroring or not , you can be sniffed....
            or did I not get the wink wink.....
            "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

            Comment


            • #7
              Re: how to catch/block a sniffer on my network!!?

              Originally posted by Lior_S View Post
              Not quite, any old network can be sniffed by just plugging in to any port. see here for a longish but excellent read.
              The old ARP poisoning routine; an oldie but a goodie.

              P.S. No winks were transacted during the course of this thread... not yet anyway.
              Wesley David
              LinkedIn | Careers 2.0
              -------------------------------
              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
              Vendor Neutral Certifications: CWNA
              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

              Comment


              • #8
                Re: how to catch/block a sniffer on my network!!?

                Originally posted by Lior_S View Post
                not sure what your intending to say, but let me clarify my point to mean that regardless of hub/switch, port mirroring or not , you can be sniffed....
                or did I not get the wink wink.....
                you can be sniffed on a gateway, or on a broadcast based network - i.e. a network that uses hubs instead of switches

                ARP poisoning is a bit more advanced than just running a simple sniffer
                ________
                MAZDA RYUGA PICTURE
                Last edited by DYasny; 6th March 2011, 19:18.
                Real stupidity always beats Artificial Intelligence (c) Terry Pratchett

                BA (BM), RHCE, MCSE, DCSE, Linux+, Network+

                Comment


                • #9
                  Re: how to catch/block a sniffer on my network!!?

                  Originally posted by silent View Post
                  hi all! users on my network usualy use yahoo to communicate one with the other, lately it came to my attention that some of those users are using sniffers to detect passwords on our lan and yahoo conversations and such private info. is there a way to block such sniffers?! our topology has a low security level theres our private network- cisco 2811 router- internet. any help would be appreciated..
                  Yes you find out the names of the sniffer executables and block them from running on your windows network.

                  Ohh and you also block users from installing programs.

                  Or you write up a very good ICT policy than prohibits the use of non-company supplied software on any company machine.

                  Comment

                  Working...
                  X