3/3/13

ZWEKNU

Creating a Receive-Only Ethernet NIC

When sniffing a network, it's ideal to have a receive (hereafter, Rx) only network interface. This insures that your sniffing activity is strictly passive. You are then protected against tools such as The L0pht's AntiSniff (assuming the sniffer has no other NICs whereby it might reveal its activities). The following details how to make such a beast from a standard Ethernet AUI NIC. If you have information on how to do this with 10BaseT, I would be extremely interested. Most NICS (especially notebooks) only come with 10/100BaseT or 10Base2 if you're lucky. Unfortunately, by the time we have a 10BaseT cable, we can't easily modify it to be receive only. The linkbeat is also carried on the Tx pins. Cutting them will kill our linkbeat and the hub will shut us off. It might be possible to do some sort of perverse splicing action where you steal the Tx from something like a cheap hub while sending the Rx to the listening station. Thanks to Doron Shikmoni <mailto:doron@isoc.org> for pointing out that clipping the Tx pins on 10BaseT would be inadequate and for coming up with the spliced cable idea. In the event that all you have is a 10BaseT/10Base2/something other than AUI interface, a good set of packet filter rules combined with disabling ARPs might do the trick. You would essentially have to block all incoming and outgoing TCP and UDP traffic as well as denying ARPs. Hopefully, but not necessarily, that will prevent your machine from responding to any sort of provocation. The fact remains that the only thing keeping the box from revealing its presence is the firewall rules. Improper rules or a broken protocol stack may circumvent your defensive steps. That's why it's best to have a device with the physical inability to transmit. For our purposes, we'll assume that your AUI transceiver is AUI -> 10BaseT, but it could be to any media type. That's the beauty of it: AUI has separate data and control pins so we can snip the data pins without affecting the control signals (unlike 10BaseT). You'll have a fully functioning member of the Ethernet, it just won't have the ability to send out data. This is a Good Thing [tm]. The diagram below illustrates the location of the numbered pins on an AUI connector. These will often be marked on the connector itself. (look closely, usually it's raised or engraved on the black plastic surface below the pins.)
. . . . . . 1 8 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ \......../ \......./ 9 1 5

The following table lists the pinouts (for reference purposes): Ethernet AUI Pinouts Pin Ethernet Circuit Signal 3 10 DO-A DO-B Data Out Circuit A Data Out Circuit B
1/3

forum.ouah.org/zweknu.htm

3/3/13

ZWEKNU

11 5 12 4 2 9 1 6 13 14

DO-S DI-A DI-B DI-S CI-A CI-B CI-S VC VP VS

Data Out Circuit Shield Data In Circuit A Data In Circuit B Data In Circuit Shield Control In Circuit A Control In Circuit B Control In Circuit Shield Voltage Common Voltage Plus Voltage Shield (L25 and M25) Protective Ground

Shell PG

Clearly, we're interested in removing the ability of the NIC to Tx and thus give away our presence. Therefore, we need to cut the Data Out lines, pins 3 and 10. That's it. All this buildup for cutting two pins on the transceiver. Hopefully you learned something in the process. Now toss your box on a network, fire up t c p d u m pand have fun. If you have any other methods, I'd love to hear about them. Send me email. PostScript: I've gotten mail from people with some confusion regarding the difference between the NIC and the AUI transceiver itself. This method will not damage the NIC. If it does, you're doing something very wrong. The AUI transceiver is the little box that plugs into the AUI port on your NIC on one side and onto the network (10BaseT/10Base2/etc) on the other. This is the deal that we're hacking up for our Rx-only transceiver, not, I repeat not the NIC itself. Here's a [out of focus, cheapass SunCam] pic of the one that I used. Yours will probably look similar.

PostPostScript: Robert Graham < robert_david_graham@yahoo.com > has come up with a mechanism for 10BaseT Rx-only. Why I personally prefer the AUI approach because once you cut the pins, you're guaranteed
forum.ouah.org/zweknu.htm 2/3

3/3/13

ZWEKNU

not to be transmitting, sometimes all you have is 10BaseT. Check out http://www.robertgraham.com/pubs/sniffing-faq.html. Down towards the middle are some instructions for munging up a 10BaseT bad enough that it hopefully won't work for data but will continue to carry the linkbeat. PPPS: Orlan Franks, III <mailto:orlan@eskimo.tamu.edu> has another good idea: simply take two AUI transceivers, put them back-to-back (with a dual-female AUI cable between them). The following diagram illustrates:
w o r l d-T P / A U I= = = = = =A U I / T P-s n i f f e r x c e i v r x c e i v r

Now simply clip the appropriate pins between the two. In fact, as he points out, you could even use a switch on the cable to switch between Tx/Rx and Rx-only. This is probably the best one yet. You have a bulky cable when you're done, but now you can use a 10BaseT-only card to sniff. PPPPS: It's worth mentioning that another fine solution is simply to run a sniffer that doesn't have a network stack. You can get these for DOS. If there is no network stack, this is entirely undetectable. Of course, that's not real cool if all your protocol analysis runs under t c p d u m por you simply don't want to install DOS.

forum.ouah.org/zweknu.htm

3/3