free sniffer to monitor our ISP???

LadyDi

Member
Nov 6, 2000
57
0
0
I only found one thread that had any info on this (there's probably more but they didn't pull up). Here is what I did find in a reply "If you can get your hands on SMS, it has one of the best packet sniffers out there...Network Monitor"

If you know about this one that'd be great or if you just know about any one that's good I'd appreciate the input.

Diana
 

Damaged

Diamond Member
Oct 11, 1999
3,020
0
0
Or you can always snmpwalk someone. Evil, but informative as all get out, and you'd be suprised how many dumbasses leave their snmp strings at the default. Sheesh! :)
 

PJNeary

Junior Member
Nov 27, 2000
10
0
0
SMS is a Microsoft product for software distribution, which provides, as an afterthought, a super "sniffer" called Network Monitor. Unless you manage a big NT network at work or subscribe to the MS Developer Network (hey, it's only US$2K a year!), you probably don't have access to this.

However... This sniffer is the same one which comes as a Windows NT add on, also called Network Monitor. It's the same product, only the NT one is able only to "see" packets which come in or out of your machine, while the SMS version can listen on the LAN in "promiscuous mode" an see all packets on the wire. This is a silly crippling of the product intended, I guess, to ease the fears that your officemate might be watching your packets go by.

If you can debug the problem from your machine then this is all you need. My guess is it's available in Win2000 as well as WinNT, but I've not tried to install this yet. Roughly, you go into your Network setting and add the Network Monitor service. If you have Win9x, then, I dunno. Pardon my editorial, but Win9x/Me is a toy OS. Probably some things on Linux, too. It tried one a while ago, but as per Linux/Unix mentality, it was not as easy to use and (more importantly) examine as Network Monitor. Before I get anti-M$ flames, I think Network Monitor is actually an Intel piece of code. (Is that any more PC?)

Anyway, HTH.

--P
 

LadyDi

Member
Nov 6, 2000
57
0
0
That's helpful but I'm still looking for freeware/shareware sniffer and on the by and by I also am looking for a port scanner.

Di
 

Ulfwald

Moderator Emeritus<br>Elite Member
May 27, 2000
8,646
0
76
I may need something like this, Is there a Linux version of this?
 

Damaged

Diamond Member
Oct 11, 1999
3,020
0
0
See this is why those of us in networking prefer some type of UNIX OS for our workstations: these tools are free. Tools like Nmap - a great port scanner; tcpdump - an effective packet sniffer; and UCD SNMP - a great set of SNMP tools, which includes the snmpwalk utility. All free. :)
 

Ulfwald

Moderator Emeritus<br>Elite Member
May 27, 2000
8,646
0
76
Ok, but can they be ported to a NT server and used? If so, how can they be used?
 

Damaged

Diamond Member
Oct 11, 1999
3,020
0
0
I suppose you're welcome to try. The source code for tcpdump and for the UCD SNMP stuff is available. I'm not sure about Nmap, but I think the source is available.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Download NetXray. Nice simple program. You can find it at www.sniffer.com. Much better than any crap NT monitor program, or try to get the actual sniffer 4.0 software from your warez buddies.

spidey

ps - if you can't get ahold of these then the Network Monitor that comes with NT should do the job. I'm pretty sure you can download netxray.
 

LadyDi

Member
Nov 6, 2000
57
0
0
What I need to be able to do is monitor and attack if my ports are being scanned and I need to be able to sniff my own internal network. In any case, I'm bumping hoping for some other solutions.

Thanks and please don't be offended if you've given your .02 worth and yet I'm still asking :)

Di
 

celeritas

Senior member
Oct 13, 1999
935
0
0
For sniffing/scanning, one of my favorite tools is the NT/2K port of nmap. Let me know if you want me to e-mail it to you. It's small, fast, and freeware; it does port scanning, spoofing, open share checks, etc. I would just give you an URL to get it yourself, but the few sites that I knew had it must've pulled the program recently... ;) You'll need a packet driver (here): WinPcap.

Another nice, free, and very fast port scanner is 7th Sphere PortScan. It's less than 30k. Let me know if you can't find it after doing a web search.

The Foundstone site has some nice tools; also try Hacking Exposed. The guys who wrote the Hacking Exposed book (a MUST have, IMHO) run the Foundstone/Hacking Exposed sites. Make sure you visit the tools section: HE Tools.

As far as &quot;attacking&quot; goes, I wouldn't if I were you. Besides the fact that you risk the chance that you may quickly find yourself out of your depth in a war against someone who has a lot more experience (plus all his buddies), you'll also lose credibility with the offender's ISP, etc. if you are able to track him that far. If you're really worried about security I recommend a good SOHO hardware firewall -- but if you can't spend $500+, you might want to consider asking a Linux guru to help you set up a basic Linux firewall/router box. Damaged might be willing to help in that dept. :D

If you want to stick with Windows-based software, I recommend a couple programs: BlackIce and AtGuard. I think you can still dig up AG here. Unfortunately, it was bought by Symantec and was &quot;bloatified&quot; into Norton Personal Firewall or something. Let me know if you can't find it; IMHO, it's one of the best incoming/outgoing port monitoring/blocking programs out there. It also blocks cookies, popups, ads, refers, etc.

Edit: More links below...

Retina/Iris (nmap used to be here, too): eEye

Ping Plotter (GUI traceroute): PP

VisualRoute (another graphical traceroute): VisualRoute

NeoTrace (yet another GTR): NeoTrace

Atelier Port Scanner: AWSPS

*nix nmap (may have a link to NT version): nmap

Misc small, free utils: AnalogX
 

celeritas

Senior member
Oct 13, 1999
935
0
0
Thanks. Actually, I left a lot of stuff out because I didn't want LadyDi to get into too much trouble. ;)

Edit: OK, just a little more ammo for people to potentially shoot themselves in the foot with... :)

A Windows all-in-one tool that has SNMP scanning capability:WS_Ping ProPack

Sorry, I won't divulge download sites for Anarchist Cookbook 2001. :p
 

IsOs

Diamond Member
Oct 9, 1999
4,475
0
76
Forgive me for asking, but what are the constructive uses for these tools. I had a few beings tried some of these tools on my IP. I have not done anything about them.

A few more questions:
What is a Trinoo master probe?
Whatsup scan?



 

celeritas

Senior member
Oct 13, 1999
935
0
0


<< Forgive me for asking, but what are the constructive uses for these tools. I had a few beings tried some of these tools on my IP. I have not done anything about them. >>

Good point. Although many people have used tools like these destructively (as well as other far more dangerous programs that I haven't mentioned), they can be vital to determining the overall security of one's own PC/network. Unfortunately, script kiddies are here to stay -- I'd rather discover that I was vulnerable after scanning myself than let one of them catch me with my pants down... :eek:

You are wise to avoid a knee jerk reaction to the lamers. As I said, trying to mount a blind attack against an unknown, supposed threat is just plain dumb. What if they knew what they were doing, spoofed their IP, and laughed as you attacked the wrong party? In addition to possibly making a very nasty enemy and alienating yourself from the offender's ISP, you are actually giving the other side ammo for approaching your own ISP, claiming that YOU violated its TOS. You could lose your account and suffer other nasty consequences...

Before getting mad and doing something we will regret later, we should count to ten and consider the situation a bit. The vast majority of people who annoy us with port/exploit scans are often just SK's who are using someone else's tools to rattle the doorknobs of a LOT of IPs, looking for open ones. Why? IMO, relatively few are doing it with the intention of messing up the systems they are feeling out. It is far more likely that they're looking to relay spam or find open FTP servers to host/download/transfer warez temporarily. Spammers, pirates, and couriers are hardly what you could call &quot;hackers.&quot; Don't give them undue credit. :)

In any case, they are very rarely targeting you specifically. Even on 56k dialup, I receive at least a few probes every night. I don't take it personally. If you block incoming/outgoing ports that you don't need and run good anti-virus software you'll probably be fine. Here's one place that'll check you out: ShieldsUP.

<< What is a Trinoo master probe? Whatsup scan? >>

A Trinoo master probe scan is someone checking to see if you have Trinoo, a distributed denial of service (DDoS) zombie agent (of Yahoo, Eb@y, Amazon, etc. fame) on your system. If programs like ISS Scanner, CyberCop Scanner, etc. that check for this exploit are run on an IP they can cause &quot;false positives&quot; to appear on the recipient's firewall. DDoS is nasty -- luckily, it's pretty rare so far... The Whatsup scan is what you'll probably see if someone scans you with this program: WhatsUP.
 

IsOs

Diamond Member
Oct 9, 1999
4,475
0
76
Celeritas, thank you for the information.

RoadRunner sometimes issue a DNS Spoof, why would they do that? Are they checking up on me?
 

celeritas

Senior member
Oct 13, 1999
935
0
0
What firewall software are you running? Do you have a DNS server on your LAN?

When I had my Win2k Adv. Server box running DNS and was also using my ISP's DNS numbers, I noticed that BlackIce would sometimes popup the &quot;DNS spoof&quot; warning. It was just a false alarm...

LadyDi: Please update the thread to let us know how Attacker, etc. is working for you. Thanks.
 

LadyDi

Member
Nov 6, 2000
57
0
0
Well, I have put Attacker on all the servers and on my system (just for jollies) and it's fine. Don't know why it's called attacker as I've found no attacking capabilities :) (I hear you on the &quot;don't attack what you don't know&quot; and will take your advise to heart)

We also took SuperScan from Foundstone. We already had WS Ping Pro Pack but kinda like SuperScan. It has nice functionality.

You are probably aware from my posts that I am new to the networking field. I was lucky to get a position as a Network Administrator working with someone who likes to do his own training and will pay for my cert. exams as they come up.

We are about to go live with a new ISP in town (Charlottesville, VA), and there are just so many things to get to before Dday.

I was very interested in the NT version of nMap and will play with that program some. I downloaded a program called Network Spy but it's killed one of my servers twice now so that's outta here. That means I'm still looking for a nice sniffer.

I have found this board to be very helpful and appriceiate all the posts here, those directed at me as well as those not. celeritas, you are very helpful. My email is ddillon@iqworks.net

Diana

P.S. Are you sure there's an NT ver. of nmap? Here is a quote from the page you linked to, &quot;There are currently no plans to port Nmap to Win95/98/NT. I suggest an upgrade to one of the many supported operating systems. Note that Linux, FreeBSD, OpenBSD, and NetBSD are all free for download and run on pretty much any PC (as well as other platforms) so there are few good reasons not to just install one (or all) of them.&quot;
 

LadyDi

Member
Nov 6, 2000
57
0
0
Seeing what the hacker sees
In addition to protecting against the well-known vulnerabilities, you need to see what the hacker sees when he looks at your network. The best way I've found to do this is to use nmap, a program that gives you a look at your network from a hacker-like perspective. A company called eEye has released a new version of this program for Windows NT. You can download it herenull. The company also offers an industrial-strength network security scanner called Retina, which helps discover and fix known and unknown vulnerabilities. This is an expensive, yet valuable, product.