
             [ The Sentinel Project: Remote promiscuous detection ]
                           [ Written by bind (c) 2000 ]


[ Table of Contents ]

1. Introduction
2. Author & Copyright
3. Sentinel Usage
4. Technical Documentation
5. Example Usage
6. Contributions
7. Notes and Guidelines


1. [ Introduction ]

  The Sentinel project is designed to be a portable, accurate
implementation of all publically known promiscuous detection techniques.
For portablility purposes Sentinel utilizes the libnet and libpcap
libraries. 

  Required:
    Libnet 1.0:  http://www.packetfactory.net/Projects/libnet
    libpcap 0.4: ftp://ftp.ee.lbl.gov/libpcap-0.4.tar.Z

  Sentinel compiles and functions correctly under:
    OpenBSD 2.6 (primary development platform)
    FreeBSD 3.x
    NetBSD 1.4.1
    Linux 2.2.x
  
  Email the author if you get it to compile and function correctly under
  any other platforms.
 
Greets: SSG, palante, Vacuum, the Ghettohackers & the OpenBSD dev team. 


2. [ Author and Copyright]

  Sentinel (c) bind 2000
 
  Email: bind@subterrain.net
  Homepage: http://www.subterrain.net/projects/sentinel/


3. [ Sentinel Usage ]

Usage:
  ./sentinel [method] [-t <target ip>] [options]

Methods:
  [ -a ARP test ]
  [ -d DNS test ] (requires -f (nonexistant host) option 
  [ -i ICMP Ping Latency test  ]
  [ -e ICMP Etherping test ]

Options:
  [ -f <nonexistant host> ]
  [ -v Show version and exit ]
  [ -n <number of packets/seconds> ]
  [ -I <device> ]


4. [ Technical Documentation ]
  
Methods:

  1.) DNS Test: In this method, we create numerous fake tcp connections
      on our network segment, expecting a poorly written sniffer to pick
      up on those connections and resolve the ip addresses of the
      nonexistant hosts.  When this occurs, Sentinel sniffs the dns
      request to see if the target is the one requesting resolution of
      that nonexistant host.

  2.) Etherping Test: This method relies on a problem in the target
      machine's kernel.  In this method we send an icmp echo packet to a
      target with the correct destination ip address, but a bogus
      destination hardware address. Most systems will disregard this
      packet since its hardware address information is incorrect, but
      in some Linux, NetBSD and NT systems, will since in promiscuous
      mode, grab this packet off the network as a legitimate packet since
      its ip information is correct, and respond accordingly. If the
      target in question replies to our request, we know it is in
      promiscuous mode. 

  3.) ARP Test: This method involves sending out an ARP request to
      our target with all valid information except a bogus
      destination hardware address.  A machine that is not in promiscuous
      mode would never see the packet, since it wasnt destined to them, so
      of course, it wouldn't reply. If a machine is in promiscuous mode,
      the ARP request would be scene and the kernel would process it and
      reply.  By the machine replying, we know it is in promiscuous mode.

  4.) ICMP Ping Latency Test: In this method, we ping the target and note
      the round trip time (RTT), from there we create hundreds of fake tcp
      connections on our network segment at a lighting rate.  We expect
      the sniffer to be processing those packets at a rate where the
      target machine's network latency will increase. We then ping the
      target once again, and compare the RTT this time to the first time.
      After a series of tests and averages, we can conclude whether or
      not a sniffer is indeed running on the target.


5. [ Example Usage ]

  # ./sentinel -t 192.168.1.2 -a
  runs sentinel's arp test against 192.168.1.2

  # ./sentinel -t 192.168.1.2 -e
  runs sentinel's etherping test against 192.168.1.2

  # ./sentinel -t 192.168.1.2 -f 1.1.1.1 -d
  runs sentinel's dns test against 192.168.1.2

  # ./sentinel -t 192.168.1.2 -f 1.1.1.1 -d -a -e
  runs all of sentinels promisc detection tests against 192.168.1.2

Thatz all for now..


6. [ Contributions ]

  * SSG Crew (code testing) 
  * Vacuum (code fixes in linux and idea contributions)
  * Jethro (OpenBSD port)


7. [ Notes and Guidelines ]

  False positives are possible when running against OpenBSD 2.6 current
machines with the arp test.  Linux 2.2.x responds to bogus arp requests
with mac address ff:00:00:00:00:00 only when in promiscuous mode, while
openbsd does it reguardless of if its in promiscuous mode or not...
  
  1.0 release TODO:
    Class C scanning ability.
    ICMP ping latency tests.
   
  Any comments and suggestions will be greatly appreciated.
   
    -----------------------------------------------------------------
              $Id: README,v 1.4 2000/04/22 07:12:52 bind Exp $
