
             [ Sentinel: Libnet-based remote promiscuous detection ]
                           [ Written by bind (c) 2000 ]


[ Table of Contents ]

1. Introduction
2. Author & Copyright
3. Sentinel Usage
4. Technical Documentation
5. Notes and Guidelines


1. [ Introduction ]

  The Sentinel project is designed to be a portable, accurate
implementation of all publically known promiscuous detection techniques.
For portablility purposes Sentinel utilizes the libnet and libpcap
libraries. 

  Required:
    libnet 1.0
    libpcap 0.4

  Sentinel compiles under:
    OpenBSD 2.6 (primary development platform)
    FreeBSD 3.x
    NetBSD 1.4.1

  Email the author if you get it to compile under any other platforms.

Greets: SSG, palante, the Ghettohackers & the OpenBSD dev team. 


2. [ Author and Copyright]

  Sentinel (c) bind 2000
 
  Email: bind@subterrain.net
  Homepage: www.subterrain.net/sentinel/


3. [ Sentinel Usage ]

Usage:
  ./sentinel [method] [-t <target ip>] [options]

Methods:
  [ -a ARP test ]
  [ -d DNS test ]
  [ -i ICMP Ping Latency test  ]
  [ -e ICMP Etherping test ]

Options:
  [ -v Show version and exit ]
  [ -n <number of packets/seconds> ]
  [ -I <device> ]


4. [ Technical Documentation ]
  
Methods:

  1.) DNS Test: In this method, we create numerous fake tcp connections
      on our network segment, expecting a poorly written sniffer to pick
      up on those connections and resolve the ip addresses of the
      nonexistant hosts.  When this occurs, Sentinel sniffs the dns
      request to see if the target is the one requesting resolution of
      that nonexistant host.

  2.) Etherping Test: This method relies on a problem in the target
      machine's kernel.  In this method we send an icmp echo packet to a
      target with the correct destination ip address, but a bogus
      destination hardware address. Most systems will disregard this
      packet since its hardware address information is incorrect, but
      in some Linux, NetBSD and NT systems, will since in promiscuous
      mode, grab this packet off the network as a legitimate packet since
      its ip information is correct, and respond accordingly. If the
      target in question replies to our request, we know it is in
      promiscuous mode. 

  3.) ARP Test: This method involves sending out an ARP request to
      our target with all valid information except a bogus
      destination hardware address.  A machine that is not in promiscuous
      mode would never see the packet, since it wasnt destined to them, so
      of course, it wouldn't reply. If a machine is in promiscuous mode,
      the ARP request would be scene and the kernel would process it and
      reply.  By the machine replying, we know it is in promiscuous mode.

  4.) ICMP Ping Latency Test: In this method, we ping the target and note
      the round trip time (RTT), from there we create hundreds of fake tcp
      connections on our network segment at a lighting rate.  We expect
      the sniffer to be processing those packets at a rate where the
      target machine's network latency will increase. We then ping the
      target once again, and compare the RTT this time to the first time.
      After a series of tests and averages, we can conclude whether or
      not a sniffer is indeed running on the target.



5. [ Notes and Guidelines ]
  
  ICMP ping latency tests coming soon...
  Any comments and suggestions will be greatly appreciated.

  
    -----------------------------------------------------------------
              $Id: README,v 1.1 2000/04/04 22:22:40 bind Exp $
