# Is there a "Stealth" or "IP hiding" mechansim in Gentoo??

## NiceGuy

Hello,

Wondering if anybody knows or has heard of a way to configure a network-card to be in stealth mode (so it is NOT assigned an IP address).

I need to learn more about it ...  stuff like ... 

1. Where can I read up on it??

2. Is there a particular emerge I need to preform? ?

Thank-you in advance

Take Care

----------

## drwook

???

umm, don't use a DHCP client and don't configure an IP?  Or have I missed something?  If so, what are you actually aiming for here?

----------

## bluedevils

keep looking.  I think I remember reading something about it a long time ago.  A nic without an IP address that is usually used for monitoring network traffic.

----------

## NiceGuy

Helllo,

Sorry I guess at first glance it does seem a little  awkward ( I mean, a network card without a IP addres ... say what??).

But in reaity ... one of the goals is to have the card set up to monitor network traffic ...  the problem is I currently lack the vocalbulary to know what exact keywords the "I.T world" go about calling this functioanlity ... if you follow what I'm saying.

I'm kinda just sitting around ... waiting hoping to enter that perfect key-pharse ...  you know the one that google likes ... and immmediatley guides you to all the appropriate links you'll ever need on the subject.

Of course .. forum support is still far better

Thanks and all input is greatly appreciated

Take CareLast edited by NiceGuy on Fri Oct 06, 2006 1:12 pm; edited 1 time in total

----------

## bluedevils

http://www.informit.com/articles/article.asp?p=21777&seqNum=3&rl=1

"Stealth Sensors

One tip for deploying Snort sensors on either side of the firewall is to not bind an IP address to the listening network interface. This effectively puts the sensor in "stealth mode" because it will not respond to any IP-based traffic. 

The sensors are usually configured to have a secondary network interface card installed that is attached to a LAN dedicated to alert logging and administration. 

Enabling a network interface without an IP address is not a common practice on network-attached servers. That means there will be precious little (read none) documentation in your administration manuals on how to configure your sensor in this way. Following are some hints about how to configure some of the more common operating systems.

On Solaris systems, you must first initialize the driver and then enable the interface.

ifconfig hme0 plumb

ifconfig hme0 up

On Linux systems, ensure that the driver is loaded and just enable the interface.

modprobe a tulip

ifconfig eth0 up

On Windows NT and 2000 systems, configure the interface, but do not bind TCP/IP to the interface. If TCP/IP is already bound, just remove TCP/IP from the interface in the Networking Control panel dialog box.

On sensors configured with no IP address, you cannot monitor traffic destined for that particular sensor, but that should not be a problem because that is not the intent of a "stealth sensor.""

----------

## kiesa

Hmm, if i can remember right it was just "null" where you'd put ip address for interface and

it will work  :Smile: 

----------

## GetCool

Interesting concept.  It seems, however, that the only useful application of this would be for IDS sensors... unless I am missing something.

----------

## kiesa

yep. that's what i've used it for  :Smile: 

----------

## Mad Merlin

If you're on a switched (which is essentially all networks other than wireless ones these days) network, you're not going to pick up much traffic that way.

----------

## nom de plume

promiscuous mode

There are a number of ways to do this, the easiest way is to have wireshark/ethereal do it for you. You can also enable this feature with 'ifconfig', search the manpage for promiscuous.

----------

## Su8l1me

 *Mad Merlin wrote:*   

> If you're on a switched (which is essentially all networks other than wireless ones these days) network, you're not going to pick up much traffic that way.

 

Depends on how good the switch is.

Most cisco's can be set to mirror all traffic across the switch to any of the ports - usually this'll be the one you have your IDS machine attached to. I used to do it several jobs ago for the company I was at. It's a pretty hopeless task with more basic switches though - you're right.

----------

## nom de plume

 *Su8l1me wrote:*   

>  *Mad Merlin wrote:*   If you're on a switched (which is essentially all networks other than wireless ones these days) network, you're not going to pick up much traffic that way. 
> 
> Depends on how good the switch is.
> 
> Most cisco's can be set to mirror all traffic across the switch to any of the ports - usually this'll be the one you have your IDS machine attached to. I used to do it several jobs ago for the company I was at. It's a pretty hopeless task with more basic switches though - you're right.

 

You could also poison the arp table. Though that is usually frowned upon.  :Smile: 

----------

## Su8l1me

 *nom de plume wrote:*   

> You could also poison the arp table. Though that is usually frowned upon. 

 

The ARP table on the switch ? How would you do that ?

I ask in the spirit of general curiousity of course - I'd never do such a thing  :Smile: 

----------

## nom de plume

 *Su8l1me wrote:*   

>  *nom de plume wrote:*   You could also poison the arp table. Though that is usually frowned upon.  
> 
> The ARP table on the switch ? How would you do that ?
> 
> I ask in the spirit of general curiousity of course - I'd never do such a thing 

 

http://en.wikipedia.org/wiki/Arp_poison

Wikipedia has all the answers.

----------

## NiceGuy

Good Morning,

Yes, that is correct I do plan to use this IDS .... I read  a little on the topic of promiscuos this morning ... I even attempted to place one of mynetwork  cards card in such a mode using ... 

```

/sbin/ifconfig eth3 promisc 

```

Later, and after doing the above command ... I wanted to see if my card still had an IP address:

```

prompt# /sbin/ifconfig 

eth3    Link encap:Ethernet  HWaddr 00:03:2D:05:64:AE

          inet addr:133.3.3.3  Bcast:133.255.255.255  Mask:255.0.0.0

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:15 Base address:0x6000

```

It still appears to have an IP still (133.3.3.3) ... thought I am not saying this is right or wrong (I do notice the UP BROADCAST PROMISC) ..

I'm more or less in a where I originally though I could set my card up for IDS/monitoring  ... where it was not assigned an IP.

I guess I'm alittle unsure of whether or not this is what I want .... and if I should continue researching.   

Anyway, if anybody has set a card up before for IDS/monitoring or anything similiar .. your guidance would be greatly appreciated.

Thanks again

Take Care

----------

## NiceGuy

Good Morning,

Yes, that is correct I do plan to use this IDS .... I read  a little on the topic of promiscuos this morning ... I even attempted to place one of mynetwork  cards card in such a mode using ... 

```

/sbin/ifconfig eth3 promisc 

```

Later, and after doing the above command ... I wanted to see if my card still had an IP address:

```

prompt# /sbin/ifconfig 

eth3    Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx

          inet addr:133.3.3.3  Bcast:133.255.255.255  Mask:255.0.0.0

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:15 Base address:0x6000

```

It still appears to have an IP still (133.3.3.3) ... though I am not saying this is right or wrong (I do notice the UP BROADCAST PROMISC) ..

I'm more or less in a state where at one point .. I originally thought I could set my card up for IDS/monitoring where it was not assigned an IP.

and now ... I guess I'm a little unsure of whether or not this is what I want and if I should continue researching or look no futher.  I  still am under the assumption that if my card has an IP, it can still be detected, which is not what I want, am I right?? 

Anyway, if anybody has set a card up before for IDS/monitoring or anything similiar .. your guidance would be greatly appreciated.

Thanks again

Take Care

----------

## bluedevils

assuming this is a home network with a simple switch and router, what traffic do you want to monitor?  If you want to monitor the interaction between the internet and your network, you could put a tap (a hub will do) on the wan (internet) side of your router.  If you put the nic into stealth mode, then the system can monitor with less worry of an attack of the nic itself.

----------

## NiceGuy

Hello again,

bluedevils wrote:

 *Quote:*   

> 
> 
> If you put the nic into stealth mode, then the system can monitor with less worry of an attack of the nic itself.
> 
> 

 

I appologize, but for clarity sake ... are "Stealth" and "Promiscous" the same thing, I mean are they interchangable??

Thanks, and I appolgize for the confusion

Take Care

----------

## bluedevils

someone can correct me, but my understanding is that stealth mode is when a card comes up with no IP and does not respond to arp.  Promiscuous mode means to listen and grab *all* traffic on the nic.  They do not appear interchangeable.

----------

## NiceGuy

Hello,

So then it looks as though I am at square one again. My original assumption was to somehow incorporate:

```

1. /sbin/init.d/net.ethX stop      ---> stop the network card

2. conifg_ethX to null               ----> Set the card to null (ie. no ip)

3. /sbin/ifconfig ethX promisc  -----> Set the card to promiscuous mode

```

But perhaps this is not correct .... I mean ...  could there be a "stealth mode command" that I am missing or am not aware of??

Thanks again

Take Care

----------

## bluedevils

that looks fine for me.  I would stop the nic card and bring up the card with "ifconfig ethx up".  After that, move the card into promiscuus mode.  If you are using snort, I think it will can put it into promiscuous mode at startup.

----------

## nom de plume

I've never heard of stealth mode. To be safe, when in promiscuous mode you should set up your firewall to make sure that your machine does not send out any packets. I don't see what "having an ip" has to do with anything and I am not really sure it is even possible to have an active interface without an ip.

----------

## jklmnop

most snooping software will set promiscuous mode automagically.

to remove IP address, assign 0.0.0.0

```

# ifconfig eth1     

eth1      Link encap:Ethernet  HWaddr 00:09:6B:8C:B3:57  

          inet addr:192.168.254.254  Bcast:192.168.254.255  Mask:255.255.255.0

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:3 

# ifconfig eth1 inet 0.0.0.0

# ifconfig eth1       

eth1      Link encap:Ethernet  HWaddr 00:09:6B:8C:B3:57  

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:3 

# tcpdump -i eth1 

tcpdump: WARNING: eth1: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

^C

0 packets captured

0 packets received by filter

0 packets dropped by kernel

# tail /var/log/messages 

...

Oct  6 14:24:31 hostname device eth1 entered promiscuous mode

Oct  6 14:24:36 hostname device eth1 left promiscuous mode

```

----------

## nom de plume

 *jklmnop wrote:*   

> most snooping software will set promiscuous mode automagically.
> 
> to remove IP address, assign 0.0.0.0

 

I think it's still best to use a firewall to make sure you don't inadvertently send DHCP requests or do something similar.

----------

