[Snort-users] Stealth Interface on Win32 Platforms

Burleson, Lee (IA) Lee.Burleson at ...1358...
Tue Sep 4 12:09:05 EDT 2001


You could probably prevent the change with an ACL on the
IPAutoconfigurationEnabled key.

- Lee

> -----Original Message-----
> From: Lucas Wharton [mailto:LucasW at ...3325...]
> Sent: Tuesday, September 04, 2001 13:01
> To: 'Archer'; Snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Stealth Interface on Win32 Platforms
> 
> 
> Windows is too 'smart' to let you assign an address like 
> 0.0.0.0 directly
> from the Connection Properties window.  The 169.x.x.x address 
> comes from the
> IP Autoconfiguration, which can be changed to default to 
> anything you wish.
> 
> -Open the Connection Properties for the target NIC and disable all
> services\protocols other than TCP\IP.
> -Run regedit and open
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControllSet\Services\Tcpip\Pa
> rameters\Inter
> faces\<adapter>
> -If it does not already exist add the 
> IPAutoconfigurationEnabled key, Value
> type: REG_DWORD and set to 0 ( false ).
> -Set EnableDHCP to 0 and check to make sure 
> IPAutoconfigurationAddress is
> set to 0.0.0.0 while in regedit.
> -If necessary run an ipconfig /release <adapter> to release your IP.
> 
> DO NOT view or attempt to make changes through the Connection 
> Properties
> window.  Windows will outsmart you and change these settings.
> 
> More Info: http://www.helmig.com/j_helmig/w2knoaip.htm 
> 
> -Lucas
> 
> 
> -----Original Message-----
> From: Archer [mailto:archer at ...2694...]
> Sent: Monday, September 03, 2001 10:48 PM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Stealth Interface on Win32 Platforms
> 
> 
> Can someone tell me how to do a "stealth interface" for Win32 
> platforms?
> 
> For example, how do you make sure the interface has no IP, do 
> you assign it
> 0.0.0.0? If you set it to DHCP but don't allow it to get
> an address, it will default to a 169.x.x.x address.
> 
> As far as the sniffer cable. I read the Snort FAQ and this 
> was mentioned.
> However, I don't quite understand it. could someone
> perhaps clear it up a little?
> 
> LAN Sniffer
>     1 -----\ /-- 1
>     2 ---\ | \-- 2
>     3 ---+-*------- 3
>     4 - | - 4
>     5 - | - 5
>     6 ---*-------- 6
>     7 - - 7
>     8 - - 8
> 
>     Basically, 1 and 2 on the sniffer side are connected, 3 and 6
>     straight through to the LAN. 1 and 2 on the LAN side 
> connect to 3 and
>     6 respectively. This fakes a link on both ends but only allows
>     traffic from the LAN to the sniffer. It also causes the 'incoming'
>     traffic to be sent back to the LAN, so this cable only 
> works well on
>     a hub. You can use it on a switch but you will get ...err...
>     interesting results. Since the switch receives the 
> packets back in on
>     the port it sent them out, the MAC table gets confused and after a
>     short while devices start to drop off the switch. Works 
> like a charm
>     on a hub though.
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list