Discussion:
Is promiscuous mode bad?
Aaron Dalton
2004-08-15 20:29:05 UTC
Permalink
I was running security/rkhunter and it warns me about my network card being in
promiscuous mode. I have a few questions:
1) What exactly is promiscuous mode? (I've done some googling but haven't
found anything really clear)
2) Why might it be considered a bad thing?
3) How do I disable it if it really is bad?
4) What are the effects of disabling it?

Thank you *so much* for your time!
--
Aaron Dalton
http://aaron.daltons.ca
Bill Moran
2004-08-15 21:08:06 UTC
Permalink
Post by Aaron Dalton
I was running security/rkhunter and it warns me about my network card being in
1) What exactly is promiscuous mode? (I've done some googling but haven't
found anything really clear)
Promiscuous mode means the network card sends all traffic received to the
kernel for processing, even if it wasn't destin for the MAC address of that
card. In normal mode, traffic not destin for that card is dropped and the
kernel never sees it.
Post by Aaron Dalton
2) Why might it be considered a bad thing?
Once the card is placed in promiscuous mode, users on your system can use
packet sniffers to sniff network traffic without needing root privs on
your system. The NIC is promiscuous for the whole machine.
Post by Aaron Dalton
3) How do I disable it if it really is bad?
ifconfig should allow you to do this.
Post by Aaron Dalton
4) What are the effects of disabling it?
Pretty much the reverse of #2. If you're running may types of scanning
software, or network sniffers, they will put the card in promisc mode.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
Aaron Dalton
2004-08-15 22:03:26 UTC
Permalink
Thank you so much for your replies! This makes much more sense now.

I am currently running Snort. I will examine its documentation to see if
promiscuous mode is really necessary. In the meantime, am I correct in
assuming the only threat is from local users? If so, currently all users are
trusted so I shant panic just yet.

Thank you again for your help!
--
Aaron Dalton
http://aaron.daltons.ca
Kevin D. Kinsey, DaleCo, S.P.
2004-08-15 22:19:44 UTC
Permalink
Post by Aaron Dalton
Thank you so much for your replies! This makes much more sense now.
I am currently running Snort. I will examine its documentation to see if
promiscuous mode is really necessary.
It is.
Post by Aaron Dalton
In the meantime, am I correct in
assuming the only threat is from local users?
Yes.
Post by Aaron Dalton
If so, currently all users are
trusted so I shant panic just yet.
Hmm, "the human heart is a dangerous thing."
;-)

Kevin Kinsey
DaleCo, S.P.
Remko Lodder
2004-08-15 22:25:45 UTC
Permalink
Post by Aaron Dalton
Thank you so much for your replies! This makes much more sense now.
I am currently running Snort. I will examine its documentation to see if
promiscuous mode is really necessary. In the meantime, am I correct in
assuming the only threat is from local users? If so, currently all users are
trusted so I shant panic just yet.
Thank you again for your help!
Snort uses promisc to capture the packets off the line and examine them.
So this needs to be turned on in able to do some productive things :)
turning it off will disable snort actually.

Reminder for bill: sniffing via bpf requires the same privileges whether
promisc. is set or not, so you always need to be root for sniffing data
of the line, that is when the permissions is not tampered with :).
Thanks #bsddocs (simon ;))
--
Kind regards,

Remko Lodder |***@elvandar.org
Reporter DSINet |***@dsinet.org
Projectleader Mostly-Harmless |***@mostly-harmless.nl
Bill Moran
2004-08-15 22:32:05 UTC
Permalink
Post by Remko Lodder
Reminder for bill: sniffing via bpf requires the same privileges whether
promisc. is set or not, so you always need to be root for sniffing data
of the line, that is when the permissions is not tampered with :).
Thanks #bsddocs (simon ;))
Really? Then I stand corrected.

If that's the case, though, what _is_ the administrative danger of running
in PROMISC mode?
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
Kevin Stevens
2004-08-16 02:53:10 UTC
Permalink
Post by Bill Moran
Post by Remko Lodder
Reminder for bill: sniffing via bpf requires the same privileges whether
promisc. is set or not, so you always need to be root for sniffing data
of the line, that is when the permissions is not tampered with :).
Thanks #bsddocs (simon ;))
Really? Then I stand corrected.
If that's the case, though, what _is_ the administrative danger of running
in PROMISC mode?
I think, in general, it's the notion that if the NIC is listening to
things it shouldn't, it may hear something it doesn't want to. ;)

In other words, there would be concern over exploits targeted at
services or daemons that don't screen inbound traffic for the
destination address being that of the local host, because they assume
that such traffic could never be delivered to them. That type of
thing.

A lot of network scanners also trigger on NICS in promiscuous mode
(there's a way to detect them, I forget the details at the moment)
because admins want to know if any hosts are out there sniffing.

KeS
Ruben de Groot
2004-08-16 12:24:00 UTC
Permalink
Post by Kevin Stevens
A lot of network scanners also trigger on NICS in promiscuous mode
(there's a way to detect them, I forget the details at the moment)
because admins want to know if any hosts are out there sniffing.
How sure are you about that? AFAIK there's no way to detect a NIC in
promiscuous mode *from the outside*. I would be very interested in a network
scanner that could.

Ruben
Dan Nelson
2004-08-16 15:18:04 UTC
Permalink
Post by Ruben de Groot
Post by Kevin Stevens
A lot of network scanners also trigger on NICS in promiscuous mode
(there's a way to detect them, I forget the details at the moment)
because admins want to know if any hosts are out there sniffing.
How sure are you about that? AFAIK there's no way to detect a NIC in
promiscuous mode *from the outside*. I would be very interested in a
network scanner that could.
The basic points are that since the kernel sees packets it usually
doesn't, there may be codepaths that incorrectly process certain
packets and send replies. There's also a small delay in processing all
those extra packets that might be seen as extra latency in pings etc.
As CPUs get faster and kernel bugs get fixed, these become harder and
harder to detect.

Do a web or usenet search for "detect promiscuous mode" for lots and
lots of links.
--
Dan Nelson
***@allantgroup.com
horio shoichi
2004-08-16 20:59:59 UTC
Permalink
On Mon, 16 Aug 2004 14:24:00 +0200
Post by Ruben de Groot
Post by Kevin Stevens
A lot of network scanners also trigger on NICS in promiscuous mode
(there's a way to detect them, I forget the details at the moment)
because admins want to know if any hosts are out there sniffing.
How sure are you about that? AFAIK there's no way to detect a NIC in
promiscuous mode *from the outside*. I would be very interested in a network
scanner that could.
Ruben
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
Ping it with wrong mac.


horio shoichi
Geert Hendrickx
2004-08-20 16:02:09 UTC
Permalink
Post by Ruben de Groot
Post by Kevin Stevens
A lot of network scanners also trigger on NICS in promiscuous mode
(there's a way to detect them, I forget the details at the moment)
because admins want to know if any hosts are out there sniffing.
How sure are you about that? AFAIK there's no way to detect a NIC in
promiscuous mode *from the outside*. I would be very interested in a network
scanner that could.
IIRC, Linux has/had a bug in it's network stack which could reveal
promisc. mode to the outside. It would reply to all icmp-packets with
the correct ip, whatever mac-adress used. So if you'd ping a Linux box
twice, but with different mac-adresses, and it replies to both, you'd
know it's set in promisc. mode.

I don't know whether this applies to FreeBSD.

GH
Post by Ruben de Groot
Ruben
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
JJB
2004-08-16 12:46:20 UTC
Permalink
Promiscuous mode can also be enabled on most hardware routers. A
hardware router in front of a private network with promiscuous mode
enabled allows public internet users to access (sniff) all the
traffic passing through the router as well as insert packets. This
is major security leak and one that spoofers look for.
Remko Lodder
2004-08-15 21:11:53 UTC
Permalink
Post by Aaron Dalton
I was running security/rkhunter and it warns me about my network card being in
1) What exactly is promiscuous mode? (I've done some googling but haven't
found anything really clear)
2) Why might it be considered a bad thing?
3) How do I disable it if it really is bad?
4) What are the effects of disabling it?
Thank you *so much* for your time!
Hi Aaron,

1) Promiscuous mode means that your network is dumping it packets
somewhere, normally they get transported. Now the added feature is that
a application like tcpdump can display the packets and with the correct
options (tcpdump -X for example) you can even see what's inside the
packets. If you do plain auth authorization it is possible with a
'sniffer' (which puts your network into promisc. mode) to see what the
username and password of the user is, so using those credentials to do
something evil.
2) see above
3) ifconfig -a (check which has PROMISC in it)
ifconfig interfacename -promisc turns the promisc mode off
4) the application that enabled promisc probably not functioning
correctly anymore, which is perhaps good thing.

Are you running any IDS'es or something that you know? since they also
put the network into promisc mode.

Cheers!
--
Kind regards,

Remko Lodder |***@elvandar.org
Reporter DSINet |***@dsinet.org
Projectleader Mostly-Harmless |***@mostly-harmless.nl
Siddhartha Jain
2004-08-16 14:33:15 UTC
Permalink
JJB wrote:

| Promiscuous mode can also be enabled on most hardware routers. A
| hardware router in front of a private network with promiscuous mode
| enabled allows public internet users to access (sniff) all the
| traffic passing through the router as well as insert packets. This
| is major security leak and one that spoofers look for.
|

I am curious, how do you do that? From what I understand, a promiscous
mode allows someone on the box to see all packets that hit the
interface. How does it allow an attacker (outside the box) to sniff
packets hitting that interface?

Thanks,

- --
Siddhartha Jain (CISSP)
Consulting Engineer
Netmagic Solutions Pvt Ltd
Bombay - 400063
Phone: +91-22-26850001 Ext.128
Fax : +91-22-26850002
http://www.netmagicsolutions.com
Siddhartha Jain
2004-08-17 09:49:01 UTC
Permalink
horio shoichi wrote:

| On Mon, 16 Aug 2004 14:24:00 +0200
| Ruben de Groot <***@bzerk.org> wrote:
|
|>On Sun, Aug 15, 2004 at 07:53:10PM -0700, Kevin Stevens typed:
|>
|>>A lot of network scanners also trigger on NICS in promiscuous mode
|>>(there's a way to detect them, I forget the details at the moment)
|>>because admins want to know if any hosts are out there sniffing.
|>
|>How sure are you about that? AFAIK there's no way to detect a NIC in
|>promiscuous mode *from the outside*. I would be very interested in a
network
|>scanner that could.
|>
|>Ruben
|>
|>_______________________________________________
|>freebsd-***@freebsd.org mailing list
|>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
|>To unsubscribe, send any mail to
"freebsd-questions-***@freebsd.org"
|>
|
|
| Ping it with wrong mac.
|

Don't you have to be on the same broadcast domain to do a MAC ping? I
mean how would you do a MAC ping over the internet?


- --
Siddhartha Jain (CISSP)
Consulting Engineer
Netmagic Solutions Pvt Ltd
Bombay - 400063
Phone: +91-22-26850001 Ext.128
Fax : +91-22-26850002
http://www.netmagicsolutions.com
Continue reading on narkive:
Loading...