| 1 |
Hello, |
| 2 |
|
| 3 |
(Stealth ethernet saga continues) |
| 4 |
Well, after much ado, it seems quite easy (trivial) to hide an ethernet |
| 5 |
interface, while being able to collect reems of local ethernet traffic |
| 6 |
based data, from both snort and ethereal. |
| 7 |
|
| 8 |
Here's the normal ethernet interace on a portable: |
| 9 |
/sbin/ifconfig -a |
| 10 |
eth0 Link encap:Ethernet HWaddr 00:90:F5:0D:30:0E |
| 11 |
inet addr:192.168.2.15 Bcast:192.168.2.255 Mask:255.255.255.0 |
| 12 |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
| 13 |
|
| 14 |
|
| 15 |
issued: |
| 16 |
|
| 17 |
route delete default |
| 18 |
ifconfig eth0 inet 0.0.0.0 |
| 19 |
|
| 20 |
and voila: |
| 21 |
/sbin/infconif -a |
| 22 |
eth0 Link encap:Ethernet HWaddr 00:90:F5:0D:30:0E |
| 23 |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
| 24 |
|
| 25 |
|
| 26 |
On any system, 'ping 0.0.0.0' receives responses from the local |
| 27 |
interface. |
| 28 |
|
| 29 |
What I need is for folks to test and verify that an ethernet |
| 30 |
interface setup this way, is indeed invisible (undetectable) |
| 31 |
by other systems. |
| 32 |
|
| 33 |
If you find this is not true, please tell me what you did and |
| 34 |
what tool/syntax you used to discover/detect a system with an |
| 35 |
ethernet interface set up this way.... |
| 36 |
|
| 37 |
James |
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-user@g.o mailing list |
Archives