Ethereal-users: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /Sniffing without
:) / :(
I think I found some answers. According to a post in the WinPCap archives,
this looks like an NT problem:
http://www.mail-archive.com/winpcap-users@xxxxxxxxxxxxxxxxx/msg00194.html
"The fact is that on several NT4 installations it isn't possible to use
winpcap over an adapter without TCP-IP, simply because there is no binding
information.
WinPCap tries to use the
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318
}, that normally contains adapters information. If this key is empty, the
only binding info that can be retrieved is the TCP-IP one (i.e. from
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage).
In this case, you will only see interfaces with an IP address."
Well, this key is empty for all of my adapters (even the TCP/IP one).
Rather than give up, I decided to neuter my TCP/IP for that card, rather
than kill it.
I found some good hints from the Snort FAQ
(http://www.snort.org/docs/FAQ.txt, section 3.1) which tell how to set up
TCP/IP with a null IP address. This is almost as good as being unbound.
The instructions are incorrect for NT, though. I prodded a little and found
the settings stored in a different subkey. I made the following changes
(where E100IB3 is my NIC device).
All values are REG_MULTI_SZ set to null. Regedt32 allows you to create or
edit these. Regedit only allows you to edit them. To be safe, I set these
to a double null (00 00 - use regedit, not regedt32 to do this) because I
saw some other values already set that way.
HKLM\SYSTEM\CurrentControlSet\Services\E100IB3\Parameters\Tcpip\IPAddress
HKLM\SYSTEM\CurrentControlSet\Services\E100IB3\Parameters\Tcpip\SubnetMask
HKLM\SYSTEM\CurrentControlSet\Services\E100IB3\Parameters\Tcpip\DefaultGatew
ay
I rebooted, tried it out, and it works like a charm! NT doesn't even report
the NIC with "ipconfig /all" but my WinPCap apps see it fine. I tried out
Analyzer and Ethereal with success. This should protect the system from the
vast majority of TCP/IP attacks.
FYI, There are also a couple of pinouts for making stealth monitoring cables
in Snort FAQ section 3.2.
- Will
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Will C.
Sent: Wednesday, July 23, 2003 8:04 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing?
/Sniffing without TCP/IP on Windows?
Thanks for the info, Guy and Richard. I'll check the versions and lurk
around WinPCap's groups for a while. For the record, I was using WinPCap
2.3. I am currently downloading 3.0. I will try to remember to post the
results.
- Will