Detecting Wireshark or any other sniffer program users on the network
July 20, 2019 by Amit Koppad
Connect with me on LinkedIn
Contact me on email@example.com
This article will give details on how to write a program in C to detect promiscuous mode on the network.
The program takes advantage of a Kernel vulnerability in linux systems. When there is a broadcast message on the network the destination MAC address is ff:ff:ff:ff:ff:ff. Usually NIC card performs the MAC address check. But when promiscuous mode is enabled only Kernel checks for the MAC address and it only checks the first octet of the MAC address.
Now if we construct a packet with MAC address that has "ff" as its first octet and the rest is randomly filled such that the entire MAC address is non existent and then send out this packet to every system on the network with their correct IP address and we get response from a system then that system is running promiscuous mode. A system will give out a response to the above generated packet only if it is running in promiscuous mode because the NIC card will discard the packet after checking the destination MAC address. As in promiscuous mode NIC card will forward every packet (unless used filters) to the kernel and the kernel is vulnerable to out constructed MAC address it will send out a response thinking that it is a broadcast request.
UNDERSTANDING THE PROGRAM
The entire code is available here on github. I am not a professional coder and I am sure there are better and efficient ways of coding the same logic. In this C program
In this part of the program we set source MAC address in Ethernet header with the one we obtained in the earlier part of the program. Now the destination MAC address is a random MAC address that has it's first octet as "ff". Having first octet as "ff" is essential because the kernel only checks for the first octet for any broadcast packet.
In main function we type cast a buffer to struct and have Ethernet header, IP header, ICMP header. Then we get the interface to send the packet on and store it in ifName(interface name). After this we open up a RAW socket to send our packet later. We get index and MAC address of the interface that we selected to send the packet.
the above function calculates the checksum for the packet that we are about to
create in our main function.
Finally, we construct IP header and specify the correct destination IP of the machine that we need to check for running in promiscuous mode. Calculate the checksum and also specify the random MAC address to the RAW socket and then send the packet out using the socket we established earlier in the program.
Wireshark results show that when the victim machine (10.0.2.5) runs any packet sniffer it sends out a reply to the request packet thinking that it is a broadcast request. I verify it by shutting down the packet sniffer and send the request packet again to which no reply is received as the NIC card of victim machine discards the packet.
P.S. using this technique on Windows machines needs you to tweak with Windows defender firewall settings because by default it blocks out all inbound packets.