snifferfaq

Sniffer FAQ

Version: 1.7
–óEŽuX—Y^ŽÀ
----------------------------------------------------------------------------
This Security FAQ is a resource provided by:

Internet Security Systems, Inc.
5871 Glenridge Drive, Suite 115 @@Tel: (404) 252-7270
Atlanta, Georgia 30328@@@@@@@@Fax: (404) 252-2427

- Internet Scanner ... the most comprehensive "attack simulator" available. -

----------------------------------------------------------------------------
To get the newest updates of Security files check the following services:

http://www.iss.net/
ftp ftp.iss.net /pub/

To subscibe to the update mailing list, Alert, send an e-mail to
request-alert@iss.net and, in the te xt of your message (not the subject line), write:

subscribe alert

----------------------------------------------------------------------------
sniffing‚ð—‰ð‚µ–â‘è‚Ì‹†–¾‚É–ð—§‚Â‚±‚Æ‚ðŠè‚Á‚ÄA‚±‚Ì‚e‚`‚p‚ðŠÇ—ŽÒ‚Ì•û‚É—^‚¦‚Ü‚·B sniffing‚ÍA¡“úƒCƒ“ƒ^[ƒlƒbƒgã‚Å‚Ì‘å‹K–Í‚È”j‰ó“I—vˆö‚Ìˆê‚Â‚Å‚·B

This FAQ will be broken down into:

* What a sniffer is and how it works
* Where are sniffers available
* How to detect if a machine is being sniffed
* Stopping sniffing attacks:
o Active hubs
o Encryption
o Kerberos
o One-time password technology
o Non-promiscuous interfaces

----------------------------------------------------------------------------

What a sniffer is and how it works

“d˜b‰ñü‚Æˆá‚Á‚ÄAƒRƒ“ƒsƒ…[ƒ^ƒlƒbƒgƒ[ƒN‚ÍƒRƒ~ƒjƒ…ƒP[ƒVƒ‡ƒ“ƒ`ƒƒƒ“ƒlƒ‹‚ð‹¤—L‚·‚éB ‚»‚ê‚Í‚Q‚Â‚ÌƒRƒ“ƒsƒ…[ƒ^“¯Žm‚Ì’ÊM‚É‚P‚Â‚Ì‰ñü‚ðè—L‚³‚¹‚é‚É‚Í•sŒoÏ‚¾‚©‚ç‚Å‚ ‚éB ‚±‚Ì‹¤—L‚Í‚ ‚éƒRƒ“ƒsƒ…[ƒ^‚ªA‘¼‚Ìƒ}ƒVƒ“‚ª—p‚¢‚é‚½‚ß‚Ìî•ñ‚ðŽó‚¯Žæ‚é‚±‚Æ‚ª‰Â”\ ‚Å‚ ‚é‚±‚Æ‚ðˆÓ–¡‚·‚éB ƒlƒbƒgƒ[ƒN‚ð‰z‚¦‚Ä‚«‚½î•ñ‚ðŠl‚é‚±‚Æ‚ðsniffing‚ÆŒÄ‚ÔB

‚à‚Á‚Æ‚àˆê”Ê“I‚ÈƒRƒ“ƒsƒ…[ƒ^ƒRƒlƒNƒVƒ‡ƒ“‚ÍƒC[ƒTƒlƒbƒg‚ð’Ê‚éB ƒC[ƒTƒlƒbƒgƒvƒƒgƒRƒ‹‚ÍAƒpƒPƒbƒgî•ñ‚ð‰ñüã‚Ì‘S‚Ä‚ÌƒzƒXƒg‚É‘—‚é‚æ‚¤‚É“‚B ƒpƒPƒbƒgƒwƒbƒ_‚Í–Ú“I’n‚ÌŠm‚©‚Èî•ñ‚ðŠÜ‚ÝAƒAƒhƒŒƒX‚É‡‚Á‚½ƒ}ƒVƒ“‚Ì‚Ý‚ªƒpƒPƒbƒg‚ðŽó‚¯Žæ‚éB ƒpƒPƒbƒgƒwƒbƒ_‚É‚©‚©‚í‚ç‚¸A‘S‚Ä‚ÌƒpƒPƒbƒg‚ðŽó‚¯Žæ‚éƒ}ƒVƒ“‚Ípromiscuous mode‚É‚ ‚éB

‚Ó‚Â‚¤‚Ìƒlƒbƒgƒ[ƒNŠÂ‹«‚É‚¨‚¢‚Ä‚ÍAƒAƒJƒEƒ“ƒg‚âƒpƒXƒ[ƒh‚È‚Ç‚Ìî•ñ‚Í •½•¶‚ÅƒC[ƒTƒlƒbƒgŠÔ‚ð—¬‚ê‚é‚Ì‚ÅA‚¢‚Á‚½‚ñN“üŽÒ‚ªŠÇ—ŽÒŒ ‚ðŠl‚½‚çƒ}ƒVƒ“‚ð promiscuous mode‚É‚µ‚ÄAsniffing‚É‚æ‚Á‚Äƒlƒbƒgã‚Ì‘S‚Ä‚Ìƒ}ƒVƒ“‚ðŠë‚¤‚‚·‚é‚±‚Æ ‚à“ï‚µ‚‚Í‚È‚¢B

----------------------------------------------------------------------------

Where are sniffers available

sniffing‚ÍƒnƒbƒJ[‚É‚æ‚é‚à‚Á‚Æ‚àˆê”Ê“I‚ÈUŒ‚•û–@‚Å‚ ‚éB ‚ ‚éƒXƒjƒbƒtƒ@[AEsniff.c‚Í‚Æ‚Ä‚à¬‚³‚‚r‚•‚Ž‚‚“ã‚Å“‚«A‚”‚…‚Œ‚Ž‚…‚”A‚†‚”‚A‚’‚Œ‚‚‡‚‰‚Ž ‚ÌƒZƒbƒVƒ‡ƒ“‚©‚çÅ‰‚Ì‚R‚O‚OƒoƒCƒg‚Ì‚Ý‚ðŠl‚éB ‚»‚ê‚Í‚o‚ˆ‚’‚‚ƒ‚‹A‚à‚Á‚Æ‚àL‚“Ç‚Ü‚ê‚Ä‚¢‚é–³—¿‚ÌƒnƒbƒLƒ“ƒOƒ}ƒKƒWƒ“‚Å”s‚³‚ê‚Ä‚¢‚éB ‚o‚ˆ‚’‚‚ƒ‚‹‚Í‘½‚‚Ì‚e‚s‚oƒTƒCƒg‚ÅŒ©‚é‚±‚Æ‚ª‚Å‚«A‚Ü‚½Esniff.c‚à“¯—l‚É coombs.anu.edu.au:/pub/net/log‚È‚Ç‚É‚ ‚éB

‚ ‚È‚½‚Í‚»‚ê‚ªƒ[ƒJƒ‹ƒ}ƒVƒ“‚ðŠë‹@‚ÉŠ×‚ç‚¹‚é‚Ì‚É‚Ç‚ê‚Ù‚ÇŒø‰Ê“I‚©‚ðŒ©‚é‚½‚ß‚ÉA Œö”F‚³‚ê‚½ƒlƒbƒgƒ[ƒNã‚ÅEsniff.c‚ð‘–‚ç‚¹‚Ä‚Ý‚é‚±‚Æ‚ð–]‚Þ‚©‚à‚µ‚ê‚È‚¢B

ƒlƒbƒgƒ[ƒN‚Ì–â‘è“_‚ðŽæ‚èœ‚–Ú“I‚Ì‚½‚ß‚ÉL‚‘¶Ý‚µ‚Ä‚¢‚é‘¼‚ÌƒXƒjƒbƒtƒ@[‚ÍF

* Etherfind on SunOs4.1.x
* Snoop on Solaris 2.x and SunOs 4.1 (on ftp playground.sun.com)
* Tcpdump 3.0 uses bpf for a multitude of platforms.
* Packetman, Interman, Etherman, Loadman works on the following platforms:
SunOS, Dec-Mips, SGI, Alpha, and Solaris. It is available on ftp.cs.curtin.edu.au:/pub/netman/[sun4c|dec-mips|sgi|alpha|solaris2]/ [etherman-1.1a|interman-1.1|loadman-1.0|packetman-1.1].tar.Z
Packetman was designed to capture packets, while Interman, Etherman, and Loadman monitor traffic of various kinds.

DOS based sniffers

* Gobbler for IBM DOS Machines
* ethdump v1.03
Available on ftp
ftp.germany.eu.net:/pub/networking/inet/ethernet/ethdp103.zip
* ethload v1.04
Companion utility to a ethernet monitor. Available on ftp
ftp.germany.eu.net:/pub/networking/monitoring/ethload/ethld104.zip

¤—p‚ÌƒXƒjƒbƒtƒ@[‚ÍF

* Klos Technologies, Inc.

PacketView - Low cost network protocol analyzer

Phone: 603-424-8300
BBS: 603-429-0032

* Network General.

Network General‚Í‚¢‚‚Â‚©‚Ì»•i‚ðì‚Á‚Ä‚¢‚éBÅ‚àd—v‚È‚Ì‚ÍExpert Sniffer‚ÅA ‰ñüã‚ð“’®‚·‚é‚¾‚¯‚Å‚È‚Ahigh-performance expert system‚ð’Ê‚µ‚ÄƒpƒPƒbƒg‚ð ‘–‚ç‚¹‚Ä–â‘è‚ðf’f‚·‚éB"Distributed Sniffer System"‚ÆŒÄ‚Î‚ê‚éŠg’£‚ÍA‚ ‚È‚½‚Ì‚t‚Ž‚‰‚˜ƒ[ƒNƒXƒe[ƒVƒ‡ƒ“ã‚ÌƒRƒ“ƒ\[ƒ‹‚ÉExpert Sniffer‚ð—^‚¦‚ÄAƒŠƒ‚[ƒgƒTƒCƒg‚ÌƒG[ƒWƒFƒ“ƒg‚ÉŽûW‚µ‚½‚à‚Ì‚ð”z•z‚·‚é‚±‚Æ‚ª‚Å‚«‚éB

* Microsoft's Net Monitor

" My commercial site runs many protocols on one wire - NetBeui, IPX/SPX, TCP/IP, 802.3 protocols of various flavors, most notably SNA. This posed a big problem when trying to find a sniffer to examine the network problems we were having, since I found that some sniffers that understood Ethernet II parse out some 802.3 traffic as bad packets, and vice versa. I found that the best protocol parser was in Microsoft's Net Monitor product, also known as Bloodhound in its earlier incarnations. It is able to correctly identify such oddities as NetWare control packets, NT NetBios name service broadcasts, etc, which etherfind on a Sun simply registered as type 0000 packet broadcasts. It requires MS Windows 3.1 and runs quite fast on a HP XP60 Pentium box. Top level monitoring provides network statistics and information on conversations by mac address (or hostname, if you bother with an ethers file). Looking at tcpdump style details is as simple as clicking on a conversation. The filter setup is also one of the easiest to implement that I've seen, just click in a dialog box on the hosts you want to monitor. The number of bad packets it reports on my network is a tiny fraction of that reported by other sniffers I've used. One of these other sniffers in particular was reporting a large number of bad packets with src mac addresses of aa:aa:aa:aa:aa:aa but I don't see them at all using the MS product. - Anonymous

----------------------------------------------------------------------------

How to detect a sniffer running.

ƒf[ƒ^‚ðŠl‚é‚¾‚¯‚ÅA‚¢‚©‚È‚éî•ñ‚É‚à”½‰ž‚µ‚È‚¢ƒXƒjƒbƒtƒ@[‚ð”Œ©‚·‚é‚É‚ÍA ‚ ‚È‚½‚ÌƒC[ƒTƒlƒbƒgƒRƒlƒNƒVƒ‡ƒ“‚Ì‘S‚Ä‚ðŒÂX‚É•¨—“I‚É’²‚×‚é•K—v‚ª‚ ‚éB

ƒ}ƒVƒ“‚ÅƒXƒjƒbƒtƒ@[‚ª‘–‚Á‚Ä‚¢‚½‚çƒpƒPƒbƒg‚ð‘—‚Á‚½‚èƒsƒ“ƒO‚É‚æ‚Á‚Ä‰“Šu“I‚É’²‚×‚é ‚±‚Æ‚à‚Å‚«‚È‚¢B

ƒ}ƒVƒ“ã‚É‘–‚Á‚Ä‚¢‚éƒXƒjƒbƒtƒ@[‚ÍƒCƒ“ƒ^[ƒtƒFƒCƒX‚ð‘S‚Ä‚ÌƒpƒPƒbƒg‚ðŽó‚¯“ü‚ê‚é promiscuous mode‚É‚·‚éB promiscuous mode‚É‚ ‚éƒCƒ“ƒ^[ƒtƒFƒCƒX‚ðŒ©‚Â‚¯‚é‚±‚Æ‚Í‰Â”\‚Å‚ ‚éB non-promiscuous mode‚ÅƒXƒjƒbƒtƒ@[‚ð‘–‚ç‚¹‚é‚±‚Æ‚Í‰Â”\‚Å‚ ‚é‚ªA‚»‚ê‚Í‚½‚¾ ‚»‚ê‚ª‘–‚Á‚Ä‚¢‚éƒ}ƒVƒ“‚ÌƒZƒbƒVƒ‡ƒ“‚Ì‚Ý‚ð“’®‚·‚é‚±‚Æ‚µ‚©‚Å‚«‚È‚¢B N“üŽÒ‚ª‚“‚ˆA‚”‚…‚Œ‚Ž‚…‚”A‚’‚Œ‚‚‡‚‰‚ŽC‚‰‚Ž.‚”‚…‚Œ‚Ž‚…‚”‚„‚âƒ†[ƒU[‚Ì ƒƒOƒtƒ@ƒCƒ‹‚É‘‚«ž‚Ý‚ð‚·‚é‚æ‚¤‚È‚à‚Ì‚È‚Ç‚ÌAƒgƒƒC‚Ì–Ø”nƒvƒƒOƒ‰ƒ€‚ðŽg‚Á‚ÄA Ž—‚½‚æ‚¤‚ÈƒZƒbƒVƒ‡ƒ“‚Ì“’®‚ð‚¨‚±‚È‚¤‚±‚Æ‚Í‰Â”\‚Å‚ ‚éB “¯—l‚É”Þ‚ç‚Í—eˆÕ‚É‚”‚”‚™‚â‚‹‚‚…‚‚ðŒ©‚é‚±‚Æ‚ª‚Å‚«‚éB ‚±‚ê‚ç‚ÌUŒ‚‚Í‚½‚¾‚P‚Â‚Ìƒ}ƒVƒ“‚©‚ç‚ÌƒZƒbƒVƒ‡ƒ“‚ð“’®‚·‚é‚¾‚¯‚¾‚ªA promiscuous sniffing‚ÍƒC[ƒTƒlƒbƒgã‚Ì‘S‚Ä‚ÌƒZƒbƒVƒ‡ƒ“‚ð“’®‚·‚é‚±‚Æ‚ª‚Å‚«‚éB

‚r‚•‚Ž‚n‚“A‚m‚…‚”‚a‚r‚c‚â‘¼‚Ì‚t‚m‚h‚wŒn‚Ì‚a‚r‚c‚ÍA
@@@@"ifconfig -a"
‚Æ‚¢‚¤ƒRƒ}ƒ“ƒh‚É‚æ‚Á‚Äpromiscuous mode‚É‚ ‚é‚©‚Ç‚¤‚©‚ð‘S‚Ä‚ÌƒCƒ“ƒ^[ƒtƒFƒCƒX‚É‚Â‚¢‚Ä ’²‚×‚é‚±‚Æ‚ª‚Å‚«‚éB ‚c‚d‚b@‚n‚r‚e/‚P‚â‚h‚q‚h‚w‚â‘¼‚Ì‚n‚r‚ÍŠm”F‚·‚é‚½‚ß‚ÌƒfƒoƒCƒX‚ª•K—v‚Å‚ ‚éB ƒVƒXƒeƒ€ã‚É‚Ç‚Ì‚æ‚¤‚ÈƒCƒ“ƒ^[ƒtƒFƒCƒX‚ª‚ ‚é‚©‚ð’²‚×‚é•û–@‚Ìˆê‚Â‚Æ‚µ‚Ä ‚ ‚È‚½‚ÍŽŸ‚Ì‚±‚Æ‚ð‚·‚é‚±‚Æ‚ª‚Å‚«‚éF

# netstat -r
Routing tables

Internet:
@@@Destination@@Gateway@@Flags@@Refs@@@Use@@Interface
@@@default@@@@@iss.net@@@@UG@@@1@@@24949@@@le0
@@@localhost@@@@localhost@@UH@@@2@@@@83@@@@lo0

‚Ü‚½ŽŸ‚ÌƒRƒ}ƒ“ƒh‚É‚æ‚Á‚Ä‚»‚ê‚¼‚ê‚ÌƒCƒ“ƒ^[ƒtƒFƒCƒX‚ðƒeƒXƒg‚·‚é‚±‚Æ‚ª‚Å‚«‚éF

#ifconfig le0
le0: flags=8863
inet 127.0.0.1 netmask 0xffffff00 broadcast 255.0.0.1

N“üŽÒ‚Í‚µ‚Î‚µ‚Î”Œ©‚³‚ê‚é‚Ì‚ð”ð‚¯‚é‚½‚ß‚Éifconfig‚Ì‚æ‚¤‚ÈƒRƒ}ƒ“ƒh‚ðŽæ‚è‘Ö‚¦‚é ‚Ì‚Å‚ ‚È‚½‚Í‚»‚ê‚ðŠm”F‚·‚×‚«‚Å‚ ‚éB

‚r‚•‚Ž‚‚“‚Å‚Ì‚Ý“‚ftp.cert.org:/pub/tools/cpm ‚É‚ ‚é‚ƒ‚‚‚Æ‚¢‚¤ƒvƒƒOƒ‰ƒ€‚Í promiscuous flag‚ðo‚µ‚ÄƒCƒ“ƒ^[ƒtƒFƒCƒX‚ð’²‚×‚éB

‚t‚Œ‚”‚’‚‰‚˜‚Ípfstat‚ÆpfconfigƒRƒ}ƒ“ƒh‚ðŽg‚¤‚±‚Æ‚É‚æ‚Á‚Ä’N‚©‚ª‘–‚ç‚¹‚Ä‚¢‚é ƒXƒjƒbƒtƒ@[‚ð”Œ©‚·‚é‚±‚Æ‚ª‚Å‚«‚éB

pfconfig‚ÍƒXƒjƒbƒtƒ@[‚ð‘–‚ç‚¹‚é‚±‚Æ‚ª‚Å‚«‚él‚ðƒZƒbƒg‚·‚é‚±‚Æ‚ª‚Å‚« pfstat‚ÍƒCƒ“ƒ^[ƒtƒFƒCƒX‚ªpromiscuous mode‚É‚ ‚ê‚Î’m‚ç‚¹‚Ä‚‚ê‚éB

‚±‚ê‚ç‚ÌƒRƒ}ƒ“ƒh‚Ísniffing‚ªƒJ[ƒlƒ‹‚Æ˜AŒ‹‚µ‚Ä‹N‚±‚Á‚Ä‚¢‚éê‡‚Ì‚Ý—LŒø‚Å‚ ‚éB ‚Ó‚Â‚¤‚ÍƒXƒjƒbƒtƒ@[‚ÍƒJ[ƒlƒ‹‚Æ˜AŒ‹‚µ‚Ä‚¢‚È‚¢B ‚Œ‚’‚‰‚˜A‚r‚‚Œ‚‚’‚‰‚“A‚r‚b‚O‚È‚Ç‚Ì‘¼‚Ì‚t‚m‚h‚wƒVƒXƒeƒ€‚ÍA‚»‚ê‚ç‚ª promiscuous mode‚É‚ ‚é‚Ì‚©‚È‚¢‚Ì‚©‚ðŽ¦‚·Žè’i‚ðŽ‚½‚¸AN“üŽÒ‚Í‚ ‚È‚½‚Ì ‘S‚Ä‚Ìƒlƒbƒgƒ[ƒN‚ð“’®‚Å‚«A‚»‚ê‚ð”Œ©‚·‚é•û–@‚Í‚È‚¢B

‚µ‚Î‚µ‚ÎƒXƒjƒbƒtƒ@[‚ÌƒƒO‚Í‘å‚«‚‚È‚è‘½‚‚Ìƒtƒ@ƒCƒ‹ƒXƒy[ƒX‚ðŽg‚¤B ‘½‚‚Ìî•ñ‚ª—¬‚ê‚éƒlƒbƒgƒ[ƒN‚Å‚ÍƒXƒjƒbƒtƒ@[‚Íƒ}ƒVƒ“ã‚É‘å‚«‚ƒ[ƒh‚·‚éB ‚±‚Ì‚æ‚¤‚È‚±‚Æ‚ªŠÇ—ŽÒ‚ªƒXƒjƒbƒtƒ@[‚ð”Œ©‚·‚éˆø‚«‹à‚É‚È‚éB ‚í‚½‚µ‚ÍƒƒOƒtƒ@ƒCƒ‹‚â‚r‚•‚Ž‚n‚“‚Ì/dev/nit‚Ì‚æ‚¤‚ÈƒpƒPƒbƒg‚ªƒAƒNƒZƒX‚·‚éƒvƒƒOƒ‰ƒ€‚ð”Œ©‚·‚é ‚½‚ß‚ÉAcoast.cs.purdue.edu:/pub/Purdue/lsof‚É‚ ‚élsof (LiSt Open Files) ‚ð Žg‚¤‚±‚Æ‚ð‹‚Š©‚ß‚éB

Ž„‚ª’m‚éŒÀ‚è‚h‚a‚l@‚o‚bŒÝŠ·‹@‚Ìpromiscuous‚ð”Œ©‚·‚éƒRƒ}ƒ“ƒh‚Í‚È‚¢‚ªA ‚»‚ê‚ç‚Ì‚Ù‚Æ‚ñ‚Ç‚ÍƒRƒ“ƒ\[ƒ‹‚©‚çˆÈŠO‚ÌƒRƒ}ƒ“ƒh‚ÌŽÀs‚ª‹–‚³‚ê‚È‚¢‚Ì‚ÅA “à•”‚Ì•â²‚ª‚È‚¢ŒÀ‚è‰“Šu“IN“üŽÒ‚ª‚o‚bƒ}ƒVƒ“‚ÉƒXƒjƒbƒtƒ@[‚ðŽdŠ|‚¯‚é‚±‚Æ‚Í‚Å‚«‚È‚¢B

----------------------------------------------------------------------------

Stopping sniffing attacks

ƒAƒNƒeƒBƒuƒnƒu‚Ípromiscuous sniffing‚ðŽg‚¦‚È‚¢ƒpƒPƒbƒg‚ð‚»‚ê‚¼‚ê‚ÌƒVƒXƒeƒ€‚É‘—‚éB ‚±‚ê‚Í10-Base T‚Ì‚Ý‚É—LŒø‚Å‚ ‚éB

ˆÈ‰º‚Ì”„‚èŽè‚ªƒAƒNƒeƒBƒuƒnƒu‚ðˆµ‚Á‚Ä‚¢‚éF

* 3Com
* HP

----------------------------------------------------------------------------

Encryption

N“üŽÒ‚ªî•ñ‚ðŠl‚Á‚Ä‚à‚»‚ê‚ðŽg‚¤‚½‚ß‚Ì•¡‡‰»‚Å‚«‚È‚¢‚æ‚¤‚É‚·‚é Ú‘±ŠÔ‚ÌˆÃ†ƒ\ƒtƒg‚ª‚¢‚‚Â‚©‚ ‚éB

‚¢‚‚Â‚©‚ÌƒpƒbƒP[ƒW‚ÍˆÈ‰º‚É‚ ‚éF

* deslogin is one package available at ftp
coast.cs.purdue.edu:/pub/tools/unix/deslogin

* swIPe is another package available at
ftp.csua.berkeley.edu:/pub/cypherpunks/swIPe/

* Netlock encrypts all (tcp, udp, and raw ip based) communications transparently. It has automatic (authenticated Diffie-Helman) distibuted key management mechanism for each host and runs on the SUN 4.1 and HP 9.x systems. The product comes with a Certification Authority Management application which generates host certificates (X.509) used for authentication between the hosts. and provides centralized control of each Hosts communications rules.

The product is built by Hughes Aircraft and they can be reached at 800-825-LOCK or email at netlock@mls.hac.com.

----------------------------------------------------------------------------

Kerberos

Kerberos‚Íƒlƒbƒgƒ[ƒN‚ð‰z‚¦‚éƒAƒJƒEƒ“ƒgî•ñ‚ðˆÃ†‰»‚·‚é‚½‚ß‚Ì‚P‚Â‚Ìƒ\ƒtƒg‚Å‚ ‚éB ‚»‚ê‚Í‘S‚Ä‚ÌƒAƒJƒEƒ“ƒgî•ñ‚ð•Û—L‚µ‚Ä‚¢‚éˆê‚Â‚ÌƒzƒXƒg‚©‚ç‚»‚ê‚ç‚ðˆø‚Á’£‚Á‚Ä‚‚é‚Ì‚ÅA ‚à‚µ‚»‚Ìƒ}ƒVƒ“‚ªUŒ‚‚³‚ê‚é‚Æ‘S‚Ä‚Ìƒlƒbƒgƒ[ƒN‚ªŠëŒ¯‚É‚³‚ç‚³‚ê‚éB ‚»‚ê‚ÍƒZƒbƒgƒAƒbƒv‚ª“ï‚µ‚¢‚Æ•ñ‚³‚ê‚Ä‚¢‚éB Kerberos‚É‚ÍƒXƒgƒŠ[ƒ€ˆÃ†‰»‚’‚Œ‚‚‡‚‰‚Ž‚„‚Æ‚”‚…‚Œ‚Ž‚…‚”‚„‚ª‚Â‚¢‚Ä‚‚éB ‚±‚ê‚Í‚ ‚È‚½‚ªƒƒOƒCƒ“‚µ‚½‚ ‚Æ‚É‚¨‚±‚È‚Á‚½‚±‚Æ‚ðN“üŽÒ‚É“’®‚³‚ê‚é‚Ì‚ð–h‚®B

Kerberos‚Ì‚e‚`‚p‚ÍˆÈ‰º‚Ì‚†‚”‚‚É‚ ‚é
rtfm.mit.edu
/pub/usenet/comp.protocols/kerberos/Kerberos_Users__Frequently_Asked_Questions_1.11

----------------------------------------------------------------------------

One time password technology

S/key‚â‚»‚Ì‘¼‚Ìˆê“x‚«‚è‚ÌƒpƒXƒ[ƒh•ûŽ®‚ÍAƒAƒJƒEƒ“ƒg‚Ì“’®‚ð‚Ù‚Æ‚ñ‚Ç–³Œø‚É‚·‚éB S/key‚ÌŠT”O‚Í‚ ‚È‚½‚ÌƒŠƒ‚[ƒgƒzƒXƒg‚ªŠëŒ¯‚Èƒ`ƒƒƒ“ƒlƒ‹‚ð‰z‚¦‚¸‚ÉƒpƒXƒ[ƒh‚ð ’m‚ç‚¹‚Ä‚‚êA‚ ‚È‚½‚ªÚ‘±‚µ‚½‚Æ‚«‚ÉA‚ ‚È‚½‚ÍØ–¾—v‹‚ðŽó‚¯‚éB ‚ ‚È‚½‚ªØ–¾—v‹î•ñ‚ÆƒpƒXƒ[ƒh‚ðŽó‚¯Žæ‚Á‚ÄA‚»‚ê‚ð‚à‚µ‚¨ŒÝ‚¢‚ª “¯‚¶ƒpƒXƒ[ƒh‚È‚ç•ÔŽ–‚ð•Ô‚·‚±‚Æ‚ð—v‹‚·‚éƒAƒ‹ƒSƒŠƒYƒ€‚É·‚µž‚ÞB ƒpƒXƒ[ƒh‚ÍŒˆ‚µ‚Äƒlƒbƒgƒ[ƒN‚ð‰z‚¦‚È‚¢‚µ“¯‚¶Ø–¾—v‹‚ª‚Q“xŽg‚í‚ê‚é‚±‚Æ‚à‚È‚¢B ‚r‚…‚ƒ‚•‚’‚…‚h‚c‚â‚r‚m‚j‚Æˆá‚Á‚Ä‚r/‚‹‚…‚™‚Å‚Í‚ ‚È‚½‚ÍƒzƒXƒg‚ÆƒpƒXƒ[ƒh‚ð‹¤—L‚µ‚È‚‚Ä‚·‚ÞB ‚r/‚‹‚…‚™‚Íftp:thumper.bellcore.com:/pub/nmh/skey‚É‚ ‚éB

‚»‚Ì‘¼‚Ìˆê“x‚«‚è‚ÌƒpƒXƒ[ƒh‹Zp‚ÍAƒAƒJƒEƒ“ƒg‚ÉƒAƒNƒZƒX‚·‚é‚±‚Æ‚ð‹– ‚·ƒiƒ“ƒo[‚ð¶¬‚·‚éƒJ[ƒh‚ð‚¨ŒÝ‚¢‚Ìƒ†[ƒT[Ž‚ÂAƒJ[ƒhƒVƒXƒeƒ€‚ª‚ ‚éB ƒJ[ƒh‚ðœ‚¯‚ÎA‚»‚Ìƒiƒ“ƒo[‚ð„‘ª‚·‚é‚±‚Æ‚Í‚Å‚«‚È‚¢B

ˆÈ‰º‚Ì‰ïŽÐ‚Í‚æ‚è‚æ‚¢ƒpƒXƒ[ƒhØ–¾‚Ì‰ðŒˆ–@‚ð’ñ‹Ÿ‚µ‚Ä‚¢‚éF

Secure Net Key (SNK)

Digital Pathways, Inc.
201 Ravendale Dr. Mountainview, Ca.
97703-5216 USA

Phone: 415-964-0707 Fax: (415) 961-7487

Secure ID

Security Dynamics,
One Alewife Center
Cambridge, MA 02140-2312
USA Phone: 617-547-7820
Fax: (617) 354-8836
Secure ID uses time slots as authenication rather than challenge/response.

ArKey and OneTime Pass

Management Analytics
PO Box 1480
Hudson, OH 44236
Email: fc@all.net
Tel:US+216-686-0090 Fax: US+216-686-0092

OneTime Pass (OTP):
‚±‚ÌƒvƒƒOƒ‰ƒ€‚ÍˆÃ†‰»ƒvƒƒgƒRƒ‹‚âƒn[ƒhƒfƒoƒCƒX‚ð•K—v‚Æ‚µ‚È‚¢A ƒ†[ƒU[“¯Žm‚Ì§ŒÀ‚Ì‚È‚¢ˆê“x‚«‚è‚ÌƒpƒX‚ð‹Ÿ‹‹‚·‚éB ƒ†[ƒU[‚ÍŽg‚¤‚±‚Æ‚Ì‚Å‚«‚éƒpƒXƒR[ƒh‚ÌƒŠƒXƒg‚ð“¾‚ÄA‚¨ŒÝ‚¢‚ªŽg‚¤‚à‚Ì‚ðÁ‹Ž‚·‚éB ƒVƒXƒeƒ€‚Í‚»‚ê‚ªŽg‚í‚ê‚½‚Æ‚«AƒŠƒXƒg‚©‚ç‚¨ŒÝ‚¢‚ÌƒpƒXƒR[ƒh‚ðœ‚ˆ—‚ð‚¨‚±‚È‚¤B ‚Æ‚Ä‚à¬‚³‚‘‚¢ƒpƒXƒ[ƒhƒeƒXƒ^[‚ÆƒpƒXƒ[ƒh‚ÆƒpƒXƒ[ƒh ‚Æ‚È‚éŒ¾—t‚ð¶¬‚·‚éƒVƒXƒeƒ€‚ª‚Â‚¢‚Ä‚¢‚éB

ArKey:
‚±‚ê‚Í‹¤’Ê‚Ì”FØ‚ÉŠî‚Ã‚«ƒ†[ƒU[‚ÆƒVƒXƒeƒ€‚ª‚¨ŒÝ‚¢‚ðØ–¾‚·‚é‚`‚’‚‡‚•‚…‚„@‚j‚…‚™ ƒVƒXƒeƒ€‚Å‚ ‚éBƒn[ƒhƒEƒFƒA‚ð•K—v‚Æ‚¹‚¸A‚Æ‚Ä‚à¬‚³‚‘‚¢ƒpƒXƒ[ƒhƒeƒXƒ^[‚ÆƒpƒXƒ[ƒh‚ÆƒpƒXƒ[ƒh ‚Æ‚È‚éŒ¾—t‚ð¶¬‚·‚éƒVƒXƒeƒ€‚ª‚Â‚¢‚Ä‚¢‚éB

WatchWord and WatchWord II

Racal-Guardata
480 Spring Park Place
Herndon, VA 22070
703-471-0892
1-800-521-6261 ext 217

CRYPTOCard

Arnold Consulting, Inc.
2530 Targhee Street, Madison, Wisconsin
53711-5491 U.S.A.
Phone : 608-278-7700 Fax: 608-278-7701
Email: Stephen.L.Arnold@Arnold.Com
CRYPTOCard is a modern, SecureID-sized, SNK-compatible device.

SafeWord

Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
510-827-5707 Fax: (510)827-2593
For information about Enigma ftp to: ftp.netcom.com in directory
/pub/sa/safeword

Secure Computing Corporation:

2675 Long Lake Road
Roseville, MN 55113
Tel: (612) 628-2700
Fax: (612) 628-2701
debernar@sctc.com

----------------------------------------------------------------------------

Non-promiscuous Interfaces

‚ ‚È‚½‚Ísniffing‚ð‹–‚³‚È‚¢ƒCƒ“ƒ^[ƒtƒFƒCƒX‚ðŽ‚Â‚h‚a‚l@‚c‚n‚rŒÝŠ·‹@‚ð Žè‚É“ü‚ê‚é‚±‚Æ‚ª‚Å‚«‚éB ‚±‚ê‚Ípromiscuous mode‚ðƒTƒ|[ƒg‚µ‚Ä‚¢‚È‚¢ƒJ[ƒh‚ÌƒŠƒXƒg‚Å‚ ‚éF

‚f‚‚‚‚‚‚Œ‚…‚’‚ðŽg‚Á‚Äpromiscuous mode‚ðƒTƒ|[ƒg‚µ‚Ä‚¢‚È‚¢‚©‚Ç‚¤‚©Šm‚©‚ßA ‚à‚µƒTƒ|[ƒg‚µ‚Ä‚¢‚È‚¢‚à‚Ì‚ðŒ©‚Â‚¯‚½‚ç‚±‚±‚É•t‚¯‰Á‚¦‚ÄA‰º‹L‚É’m‚ç‚¹‚Ä‚Ù‚µ‚¢B e-mailFcklaus@iss.net so I can remove it ASAP.

IBM Token-Ring Network PC Adapter
IBM Token-Ring Network PC Adapter II (short card)
IBM Token-Ring Network PC Adapter II (long card)
IBM Token-Ring Network 16/4 Adapter
IBM Token-Ring Network PC Adapter/A
IBM Token-Ring Network 16/4 Adapter/A
IBM Token-Ring Network 16/4 Busmaster Server Adapter/A

ŽŸ‚ÌƒJ[ƒh‚Ípromiscuous mode‚É‚È‚ç‚È‚¢‚Æ‰\‚³‚ê‚é‚à‚Ì‚Å‚ ‚é‚ª‚»‚ÌŠmŽÀ«‚Í‹^‚í‚ê‚éB

Microdyne (Excelan) EXOS 205
Microdyne (Excelan) EXOS 205T
Microdyne (Excelan) EXOS 205T/16
Hewlett-Packard 27250A EtherTwist PC LAN Adapter Card/8
Hewlett-Packard 27245A EtherTwist PC LAN Adapter Card/8
Hewlett-Packard 27247A EtherTwist PC LAN Adapter Card/16
Hewlett-Packard 27248A EtherTwist EISA PC LAN Adapter Card/32
HP 27247B EtherTwist Adapter Card/16 TP Plus
HP 27252A EtherTwist Adapter Card/16 TP Plus
HP J2405A EtherTwist PC LAN Adapter NC/16 TP

ƒAƒ_ƒvƒ^[‚ÍAˆê”Ê“I‚Épromiscuous mode‚ðƒTƒ|[ƒg‚µ‚Ä‚¢‚È‚¢ ‚s‚q‚n‚o‚h‚bƒ`ƒbƒvƒZƒbƒg‚ðƒx[ƒX‚É‚·‚éB ‚s‚q‚n‚o‚h‚bƒ`ƒbƒvƒZƒbƒg‚Í‚h‚a‚l‚Ì16/4 adapter‚Ì‚æ‚¤‚ÈToken Ring adapters ‚ðŽg‚¤B ‚»‚Ì‘¼‚Ì”„‚èŽè‚ài‚Æ‚è‚í‚¯@‚R‚b‚‚j‚s‚q‚n‚o‚h‚bƒx[ƒX‚ÌƒAƒ_ƒvƒ^[‚ð‹Ÿ‹‹‚µ‚Ä‚¢‚éB ‚s‚q‚n‚o‚h‚bƒx[ƒX‚ÌƒAƒ_ƒvƒ^[‚Íspecial EPROMs‚ðŽó‚¯“ü‚ê‚é‚ªApromiscuous mode ‚É‚È‚é‚±‚Æ‚Í‚È‚Apromiscuous mode‚É‚È‚éŽž‚Í‚»‚ê‚ç‚ÌƒAƒ_ƒvƒ^[‚Í"Trace Tool Present" ‚Æ•\Ž¦‚·‚é‚¾‚ë‚¤B

----------------------------------------------------------------------------

Acknowledgements

I would like to thank the following people for the contribution to this FAQ that has helped to update and shape it:

* Padgett Peterson (padgett@tccslr.dnet.mmc.com)
* Steven Bellovin (smb@research.att.com)
* Wietse Venema (wietse@wzv.win.tue.nl)
* Robert D. Graham (robg@NGC.COM)
* Kevin Martinez (kevinm@beavis.qntm.com)
* Frederick B. Cohen (fc@all.net)
* James Bonfield (jkb@mrc-lmb.cam.ac.uk)
* Marc Horowitz (marc@MIT.EDU)
* Steve Edwards (steve@newline.com)
* Andy Poling (Andy.Poling@jhu.edu)
* Jeff Collyer (jeff@cnet-pnw.com)
* Sara Gordon (sgordon@sun1.iusb.indiana.edu)

----------------------------------------------------------------------------

This paper is Copyright (c) 1994, 1995
by Christopher Klaus of Internet Security Systems, Inc.

Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium (ie magazines, books, etc) excluding electronic medium, please ask the author for permission.

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.@@@@@@i‚¨–ñ‘©‚Æ‚¢‚¤‚â‚Â‚Å‚·Bj

Address of Author

Please send suggestions, updates, and comments to:
Christopher Klaus of Internet Security Systems, Inc.

Internet Security Systems, Inc.

Internet Security Systems, Inc, located in Atlanta, Ga., specializes in the developement of security scanning software tools. Its flagship product, Internet Scanner, is software that learns an organization's network and probes every device on that network for security holes. It is the most comprehensive "attack simulator" available, checking for over 100 security vulnerabilities.