Tuesday, February 08, 2005

Microsoft Sniffer Detector

Tim Rains of MS PSS Security fame released a new tool last week, and I read about it on Robert Hensing's blog this morning. The tool is called promqry, and is used to detect NICs that are in promiscuous mode, on the local system, on remote systems, and on a range of systems. Promqry comes in both command line and UI versions, and uses WMI to look for NICs in promiscous mode, indicating that a sniffer may be in use.

According to the KB article, promqry uses WMI to query systems for the necessary information. The article doesn't state which class and property(ies) are used, and I haven't seen anything in the Win32_NetworkAdapterConfiguration class that could be used.

I wrote a similar tool for detecting sniffers, but it worked by looking for the WinPcap driver on a system. This is a freely available driver that's used by tools like Ethereal, L0phtcrack, and other sniffers on Windows systems. This detects the presence of the driver, and determines whether its in use or not...thereby detecting systems that *could be used* for sniffing.

Looks like there's another good tool to add to your arsenal, either for system compliance monitoring or incident response. In fact, it looks as if you can download the command line version of the tool and incorporate that into the FSP, adding it to your fruc.ini file, along with other tools, such as portqry v2.0, etc.

So, give a big shout-out to both Robert and Tim...thanks, guys!

No comments: