Wireshark · Ethereal-users: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /Sniffing without TCP/IP on Windows?

Ethereal-users: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /Sniffing without

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Will C." <nashvilleguitarpicker@xxxxxxxxxxx>

Date: Wed, 23 Jul 2003 11:12:15 -0500

:) / :(

I think I found some answers.  According to a post in the WinPCap archives,
this looks like an NT problem:

http://www.mail-archive.com/winpcap-users@xxxxxxxxxxxxxxxxx/msg00194.html
"The fact is that on several NT4 installations it isn't possible to use
winpcap over an adapter without TCP-IP, simply because there is no binding
information.
WinPCap tries to use the
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318
}, that normally contains adapters information. If this key is empty, the
only binding info that can be retrieved is the TCP-IP one (i.e. from
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage).
In this case, you will only see interfaces with an IP address."

Well, this key is empty for all of my adapters (even the TCP/IP one).
Rather than give up, I decided to neuter my TCP/IP for that card, rather
than kill it.

I found some good hints from the Snort FAQ
(http://www.snort.org/docs/FAQ.txt, section 3.1) which tell how to set up
TCP/IP with a null IP address.  This is almost as good as being unbound.
The instructions are incorrect for NT, though.  I prodded a little and found
the settings stored in a different subkey.  I made the following changes
(where E100IB3 is my NIC device).
All values are REG_MULTI_SZ set to null.  Regedt32 allows you to create or
edit these.  Regedit  only allows you to edit them.  To be safe, I set these
to a double null (00 00 - use regedit, not regedt32 to do this) because I
saw some other values already set that way.
HKLM\SYSTEM\CurrentControlSet\Services\E100IB3\Parameters\Tcpip\IPAddress
HKLM\SYSTEM\CurrentControlSet\Services\E100IB3\Parameters\Tcpip\SubnetMask
HKLM\SYSTEM\CurrentControlSet\Services\E100IB3\Parameters\Tcpip\DefaultGatew
ay

I rebooted, tried it out, and it works like a charm!  NT doesn't even report
the NIC with "ipconfig /all" but my WinPCap apps see it fine.  I tried out
Analyzer and Ethereal with success.  This should protect the system from the
vast majority of TCP/IP attacks.

FYI, There are also a couple of pinouts for making stealth monitoring cables
in Snort FAQ section 3.2.

- Will

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Will C.
Sent: Wednesday, July 23, 2003 8:04 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing?
/Sniffing without TCP/IP on Windows?

Thanks for the info, Guy and Richard.  I'll check the versions and lurk
around WinPCap's groups for a while.  For the record, I was using WinPCap
2.3.  I am currently downloading 3.0.  I will try to remember to post the
results.

- Will

References:
- RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? / Sniffing without TCP/IP on Windows?
  - From: Will C.

Prev by Date: RE: [Ethereal-users] Extracting data to SQL
Next by Date: Re: [Ethereal-users] 802.11 acknowledgement missing
Previous by thread: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? / Sniffing without TCP/IP on Windows?
Next by thread: [Ethereal-users] Convert Cisco IOS debug packet dumps and show buffer dump
Index(es):
- Date
- Thread