How to find out that a NIC is in promiscuous mode on a LAN?

DNS test - many packet sniffing tools perform IP address to name lookups to provide DNS names in place of IP addresses. To test this, you must place your network card into promiscuous mode and sends packets out onto the network aimed to bogus hosts. If any name lookups from the bogus hosts are seen, a sniffer might be in action on the host performing the lookups.

ARP Test - When in promiscuous mode the driver for the network card checks for the MAC address being that of the network card for unicast packets, but only checks the first octet of the MAC address against the value 0xff to determine if the packet is broadcast or not. Note that the address for a broadcast packet is ff:ff:ff:ff:ff:ff. To test for this flaw, if you send a packet with a MAC address of ff:00:00:00:00:00 and the correct destination IP address of the host. After receiving a packet, the Microsoft OS using the flawed driver will respond while in promiscuous mode. Probably it happens just with the default MS driver.

Ether Ping test - In older Linux kernels when a network card is placed in promiscuous mode every packet is passed on to the OS. Some Linux kernels looked only at the IP address in the packets to determine whether they should be processed or not. To test for this flaw, you have to send a packet with a bogus MAC address and a valid IP address. Vulnerable Linux kernels with their network cards in promiscuous mode only look at the valid IP address. To get a response, an ICMP echo request message is sent within the bogus packet leading to vulnerable hosts in promiscuous mode to respond.

Maybe there are more, the DNS test for me is the most reliable


@vp gave the theory, I will give some tools.

For use in Linux systems:

  • SniffDet: This one employs 4 different tests: ICMP test, ARP test; DNS test and also a LATENCY test (which VP01 didn't mention). The tool is recently updated and I recommend it.

Also:

  • nmap: There is an NSE script for nmap called sniffer-detect.nse which does just that.
  • nast: It detects other PC's in promiscuous mode by doing the ARP test.
  • ptool: Does ARP and ICMP test. Last commit was on 2009.

For Windows systems:

  • Cain & Abel can do a promiscuous scan using many types of ARP tests.
  • Promqry and PromqryUI Microsoft tools for this purpose too, but I'm not really sure how they work.

As for general detection techniques, there's also another one, called honeypot detect. Details about the latency test and the honeypot technique can be found in sniffdet's documentation.


You can't guarantee that you'll be able to detect it.

For example, you can easily make a read-only ethernet cable by looping the TX+ (pin 1) and TX- (pin 2) of the sniffing computer, then set TX+ (pin 1) to RX+ (pin 3 of the sniffer) and TX- (pin 2) to RX- (pin 6 of the sniffer). It will then be impossible for the sniffing computer to affect any data traffic on the network.

It may be possible to detect a voltage drop or RF emissions (along the lines of Van Eck phreaking), but I'm not aware of any COTS hardware that will detect it.

Tags:

Audit

Network