Undetectable sniffer?

Hi there,
I'm about to start programming a couple of tools for the place where
I work. However, to help me do that I would need to reverse engineer
some of the software that are used currently (that were made by
companies that no longer exist). My problems here are that I dont have
access to the source code of the programs, and for security reasons I am
not allowed to install anything on the machines and will certainly never
have the possibility to run a sniffer there.

I would like to bend these rules a bit and have a sniffer anyway, to
find out what is the communication protocol of those software (this way
we can keep the server as-is, but just change the front end).

I need to gather information and the rules set by the sys.admins
prevent me to do so, thus I cannot work at upgrading the software there.
If I can use an undetectable sniffer, I would be able to move forward,
make my own software, prove its efficiency and then later, explained
that I used a sniffer to do so. I will then be able to explain why I
needed it and why they should grant me the permission to use one at any
time for development purposes.

The thing in this company is things can and do move, you have to push
them at your own risk though.

BTW, if such software exists, I would need it to work on windows or
linux, probably on a laptop.

Thanks for any info,
Simon

Simon <(E-Mail Removed)> writes:

>Hi there,
> I'm about to start programming a couple of tools for the place where
>I work. However, to help me do that I would need to reverse engineer
>some of the software that are used currently (that were made by
>companies that no longer exist). My problems here are that I dont have
>access to the source code of the programs, and for security reasons I am
>not allowed to install anything on the machines and will certainly never
>have the possibility to run a sniffer there.

Either get permission to run a sniffer or tell them that the task is not
possible. For you to directly counter policy is a good way to get fired and
not to finish the job.


> I would like to bend these rules a bit and have a sniffer anyway, to
>find out what is the communication protocol of those software (this way
>we can keep the server as-is, but just change the front end).

So make your case to management, not to us.


> I need to gather information and the rules set by the sys.admins
>prevent me to do so, thus I cannot work at upgrading the software there.

Fine tell them and stop.

> If I can use an undetectable sniffer, I would be able to move forward,
>make my own software, prove its efficiency and then later, explained
>that I used a sniffer to do so. I will then be able to explain why I
>needed it and why they should grant me the permission to use one at any
>time for development purposes.


Idiotic idea. There is no "undetectable sniffer"

> The thing in this company is things can and do move, you have to push
>them at your own risk though.

> BTW, if such software exists, I would need it to work on windows or
>linux, probably on a laptop.

Am Sonntag, den 22.01.2006, 04:56 +0000 schrieb Unruh:

> > If I can use an undetectable sniffer, I would be able to move forward,
> >make my own software, prove its efficiency and then later, explained
> >that I used a sniffer to do so. I will then be able to explain why I
> >needed it and why they should grant me the permission to use one at any
> >time for development purposes.
>
>
> Idiotic idea. There is no "undetectable sniffer"
>
There is a possibility if you can hook your computer on a hub, not
switch. There you could run any kind of sniffer, without anyone
recognizing it. But I fear there are not many hubs out there. Tiime
passes

greets
Chris

> There is a possibility if you can hook your computer on a hub, not
> switch. There you could run any kind of sniffer, without anyone
> recognizing it. But I fear there are not many hubs out there. Tiime
> passes

Well, I can shutdown the computer, which would look normal on the
network, hook a hub and the cord to the pc, plus one to my laptop.
Reboot the work machine.

Would it be possible to detect the hub then? And how can I render the
laptop to be silent, or undetectable?

Thanks,
Simon

Simon wrote:
> > There is a possibility if you can hook your computer on a hub, not
> > switch. There you could run any kind of sniffer, without anyone
> > recognizing it. But I fear there are not many hubs out there. Tiime
> > passes
>
> Well, I can shutdown the computer, which would look normal on the
> network, ...

Well, you assume it will look normal ;-)

> ... hook a hub and the cord to the pc, plus one to my laptop.
> Reboot the work machine.

Now here is where you may find a problem. The hub will need to support
the previous link speed reliably. 10 Mbs is OK, 100 Mbs is likely (but
check your hub beforehand) and 1000 Mbs is ???. Haven't seen a hub
that supports 1000 Mbs. If you substantially slow the link speed, that
_will_ be noticed.

> Would it be possible to detect the hub then? And how can I render the
> laptop to be silent, or undetectable?

First note that sniffers are passive -- only detection probes that work
depend on tickling bugs in nic driver/networking code, afaik. A
network scanner might be able to detect your laptop if it responds
inappropriately. Should it be _totally_ silent on the network?
Detectectable but appear "normal"? You'll have to sort that out.
Total silence may be "easiest" to implement but most difficult to
confirm. Normal may be detected but raise no alarms. Choose your
poison.

As noted already, you run a _very_ real risk of being fired. You would
if I were a sysadmin there. Even if you get past that, you will almost
certainly gain the undying ire and mistrust of the sysadmins. Don't
underestimate the pain they can cause you.

You also expose yourself to the possibility of being discovered and
becoming the target of "blackmail" in return for silence. Perhaps they
will wait till you're nearly done, get your work product, get you
fired, then take credit for your work. Ain't soap operas fun. In sum,
you _will_ be a disruptive force.

Hey, but you like the intrigue. Adds spice to your boring daily
activities. Others will not be amused.

To top it off, if I understand the current state of your knowledge re:
these "secret" app protocols, you will most probably not succeed in
your attempt to reverse engineer the wire protocol. The "normal"
pattern of packet flow will make it _very_ difficult to sort out just
_exactly_ what the protocol is doing, why it's doing it in the sequence
it's doing it, and how you might use this _incomplete_ knowledge to
fashion tools. This is _not_ how reverse engineering a protocol works
(well, hopefully not).

You need to set up a test bed with a client and a server that you
control _completely_ so that you can observe that when you do A on the
client, the server does Z. You need to understand not only the
protocol, but also the (side)effects on the server itself before it
responds to the client. Surely you don't expect to run _untested_ code
at/on the production servers, do you?

If the protocols have not already been decoded by someone else, you
won't get much but a hex dump of the application layer. It will be
like reverse engineering a binary from reading the raw executable. Are
you up to the task?

My approach would to be open about the project, set up a test bed,
scrounge the net _and_ some appropriate mailing lists for help,
guidance, and clues, and proceed with the tedious job of decoding and
understanding the protocols. True, you won't need to know _everything_
but you will need a good understanding of whats going on.

Surely the folks that wrote the apps included _some_ code for testing
and tools. If you would share some info about the apps you're talking
about, you may find someone else has already done some of the work --
if not _all_ of the work -- of decoding the protocols. Certainly,
someone with more experience doing this sort of thing would help. I
would certainly look here for help and guidance:

http://www.ethereal.com/lists/

If ethereal does not already have a decode for your apps, perhaps
someone else has worked on them or something similar. There are some
very bright, experienced folks there.

BTW, as a first step, you might try inserting a Linux box and using
netfilter to simply log the packets heading toward the servers/ports
running the apps in order to get some feel for what they're up to.

good luck -- you'll need it,
prg

On Sun, 22 Jan 2006 03:58:42 -0500, Simon wrote:

>> There is a possibility if you can hook your computer on a hub, not
>> switch. There you could run any kind of sniffer, without anyone
>> recognizing it. But I fear there are not many hubs out there. Tiime
>> passes
>
> Well, I can shutdown the computer, which would look normal on the
> network, hook a hub and the cord to the pc, plus one to my laptop.
> Reboot the work machine.
>
> Would it be possible to detect the hub then? And how can I render the
> laptop to be silent, or undetectable?

You bet! As soon as they check the switch they will see it.

The problem I am having here in helping you is to me it sounds like what
you want to do is against company policy and you could be fired for it.
I'm not going to help you out the door. Just because you proved that what
you did is better for the company doesn't justify your means on how you
went about it. If you cannot go up the chain of command and get approval
then you shouldn't be doing it in the first place.

Most companies have some sort of test lab for this type of thing. See if
you can get access to it or if your company doesn't have one see if you
can start one. I'm sure if you can present your side in a way that they
understand they will most likely help you do what you want to do.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

In comp.os.linux.networking Simon <(E-Mail Removed)>:
>> There is a possibility if you can hook your computer on a hub, not
>> switch. There you could run any kind of sniffer, without anyone
>> recognizing it. But I fear there are not many hubs out there. Tiime
>> passes

> Well, I can shutdown the computer, which would look normal on the
> network, hook a hub and the cord to the pc, plus one to my laptop.
> Reboot the work machine.

> Would it be possible to detect the hub then? And how can I render the
> laptop to be silent, or undetectable?

Depends on the equipment behind, some will be able to detect the
hub easily.

Bill's advice seems most reasonable to me, why not just ask and
explain the situation?

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 90: Budget cuts

On 22 Jan 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<dqv397$545$(E-Mail Removed)>, Unruh wrote:

>Simon <(E-Mail Removed)> writes:

>Either get permission to run a sniffer or tell them that the task is not
>possible.

Agreed

>> I need to gather information and the rules set by the sys.admins
>>prevent me to do so, thus I cannot work at upgrading the software there.
>
>Fine tell them and stop.

As one who helps enforce rules set by corporate policy, I have to strongly
agree here. Simon, you _really_ don't want to cross that line. Even if
you sniff the unencrypted password, you're not home free.

>> If I can use an undetectable sniffer, I would be able to move forward,

>Idiotic idea. There is no "undetectable sniffer"

To what extent? Ordinary sniffers (there are lots of them out there) can
sometimes be detected due to operator error, or an unexplained response to
a carefully crafted packet (I think that's intentionally vague enough to
cover several detection techniques), but if it can't respond, you're going
to have to detect it by tracing wires, and given physical access that can
be made "rather" difficult. But then, that _would_ make the Powers That
Be(tm) "rather" unhappy too.

Old guy

> Now here is where you may find a problem. The hub will need to support
> the previous link speed reliably. 10 Mbs is OK, 100 Mbs is likely (but
> check your hub beforehand) and 1000 Mbs is ???. Haven't seen a hub
> that supports 1000 Mbs. If you substantially slow the link speed, that
> _will_ be noticed.

Well, I'm not sure about this but if I find out the NIC of the PC is
100Mbs, I could use a hub that's exactly the same? What if I use a hub
that has better speed than the NIC of the PC, that would probably avoid
all this kind of problem?

>>Would it be possible to detect the hub then? And how can I render the
>>laptop to be silent, or undetectable?
>
>
> First note that sniffers are passive -- only detection probes that work
> depend on tickling bugs in nic driver/networking code, afaik. A
> network scanner might be able to detect your laptop if it responds
> inappropriately. Should it be _totally_ silent on the network?
> Detectectable but appear "normal"? You'll have to sort that out.
> Total silence may be "easiest" to implement but most difficult to
> confirm. Normal may be detected but raise no alarms. Choose your
> poison.

That's strange I thought it would be simple to shutdown all kinds of
responses from the NIC.

> As noted already, you run a _very_ real risk of being fired. You would
> if I were a sysadmin there. Even if you get past that, you will almost
> certainly gain the undying ire and mistrust of the sysadmins. Don't
> underestimate the pain they can cause you.

I heard all of you about the warning. You don't need to repeat it, I
know the risks involved in doing such activities. However, I can not
estimate how boring my life would be without risk.

To top it off, if I understand the current state of your knowledge re:
> these "secret" app protocols, you will most probably not succeed in
> your attempt to reverse engineer the wire protocol. The "normal"
> pattern of packet flow will make it _very_ difficult to sort out just
> _exactly_ what the protocol is doing, why it's doing it in the sequence
> it's doing it, and how you might use this _incomplete_ knowledge to
> fashion tools. This is _not_ how reverse engineering a protocol works
> (well, hopefully not).

I know, but I do not have a test server, I do not have a test client.
My strategy here is to gather information about the protocol, dump
packets and examine them at home. I may be able to find something good,
not something perfect, not something secure and stable like the
sys.admins want but just some sort of start.

With that start I can then speak with the sys.admins and ask them a test
server and all I need, with permissions to sniff this thing and maybe
even decode the machine code of the server, etc...

The thing is right now, I'm no body and there is no way they will even
listen to me, it's not even a question of time, it's almost a politic
kind of thing. If I am able to have a starter, I can show that to them,
tell them, here, I made this up with "nothing" but I can't make it
stable or secure, I could do with a server, etc...

I read the rules at my company and found a bug. The bug prevents the
company from growing and from making its operations better. I want to
sneak past that bug and prove the internal politics need to change.

> BTW, as a first step, you might try inserting a Linux box and using
> netfilter to simply log the packets heading toward the servers/ports
> running the apps in order to get some feel for what they're up to.

Ok, but what about detection? That is my main concern about setting up
a box.

> good luck -- you'll need it,

True. Thanks!

> To what extent? Ordinary sniffers (there are lots of them out there) can
> sometimes be detected due to operator error, or an unexplained response to
> a carefully crafted packet (I think that's intentionally vague enough to
> cover several detection techniques), but if it can't respond, you're going
> to have to detect it by tracing wires, and given physical access that can
> be made "rather" difficult. But then, that _would_ make the Powers That
> Be(tm) "rather" unhappy too.

But at the point of looking for a physical sniffer, the admins would
need to be "looking" for it already. If they don't suspect anything
then I may have a chance of completing my project and that's all I ask.

I will not leave the computer on the network when I'm gone, just when I
work as it's the work I do with the PC and that software that interest me.

I know this is not politically correct, but I'm not asking here what
would be correct. The ideal in a thread like this is to have people
trying to help me (like helping the "dark side") and others trying to
find how to detect it, etc... This way all of us can learn something
about sniffers.

Thanks.