In my home network, I have a passive tap sitting between my cable modem and my router, instead of spending tons of money, I made my own. They’re surprisingly simple to make, and also extremely simple to use.
Let’s start with the wiring, at a local electronics store, I purchased 4 RJ-45 wiring plugs, I probably shouldn’t have bought solder-less ones, but I didn’t feel like buying a board to solder them to. Anyhow, 2 of the ports will be used for entry and exit, the other two for taps. In this case, we need 2 extra ports so that inbound data is passed through one port, outbound data is passed through the other port.
Set up the wiring as shown in this wiring diagram (credit goes to the Snort team for the diagram):
Personally, I split open a network cable and used the wires inside just so the color coding could be correct, that’s probably the easiest way to wire the ports.
After wiring the ports, you should be able to test that data passed from one host port to the other host port is unchanged, below is a picture of the tap I created. Yes, I know it’s very messy, the box I bought for it didn’t fit the way I wanted.
The next thing to do it connect the two ports (labeled “tap 1″ and “tap 2″ in the picture above) to 2 NICs in the machine of your choice. I’m using FreeBSD to manage the bridge. If you want to monitor outbound and inbound traffic separately, you’re done, just start tcpdump on the interface and you should be able to see all the traffic.
If you want to monitor both outbound and inbound traffic on the same interface, you’ll need to bridge the interfaces. You can accomplish this in FreeBSD with the following:
shell> ifconfig bridge create
shell> ifconfig bridge0 addm ed0 addm ed1 monitor up
shell> tcpdump -i bridge0
(or run snort/bro-ids/argus/etc on interface bridge0)
In this case, my network cards are ed0 and ed1, if you had different network interfaces, substitute them instead. You don’t need to assign an address to the bridge interface, since the only wires that are connected are the receive wires, so it wouldn’t transmit through the taps if it wanted to. For more advanced bridging, check out the FreeBSD manual on bridging.
I should note though, that you’ll need a 3rd network card in the monitoring machine if you want to remotely manage the machine.
Pingback: links for 2008-02-25 at edsmiley.com
This is neat, I’m definitely trying it on my FreeBSD machine. I guess I don’t understand the way wiring works, but whats the reason for the need to have 2 taps? Can it be done with one?
No, as you will need to combine outgoing traffic (TX) with incoming traffic (RX) as incoming traffic (RX) to your monitor host.
If you look up the pin configuration for wired ethernet you will see how it works and why you can’t merge them into a single interface.
Pingback: Sniffa nätverk?
Pingback: Passive network tap - Hack a Day
Pingback: Construir un Tap de xarxa * L’home dibuixat
Pingback: syngshin.com » Blog Archive » Passive network tap
Nice, i will definately try this out at home, my question is will this home made tap support enterprise level kind of traffic?
I just wanted to say THANKS for putting this up!!! Very helpful and informative – worked great! I was surprised to find that snort.org NO LONGER has the detailed guide for creating your own copper tap that it used to have up – so thanks again for having it here !
-Grateful Internet User
Pingback: Create a passive network tap for your home network « Brad Tumy’s Blog
thank you I will definately try this out at home
Very usefull.
Too bad you need two nic to listen.
RX and TX pinout all.
Just wondering but can’t a driver be adapted to use all pins for listening?
It could, but there’s always a chance that it could malfunction and send something over the wire. Then it wouldn’t truly be “passive”.
Should it also be noted that this is only going to show 10/100 traffic, not gigabit. Gig-E uses all 4 pair to transmit and receive.
Pingback: Passive Network Tap » David's Blog
Pingback: Passive Network Tap | leviticus.me
Help for ‘Targeted Individuals’ targeted by feral Military Intelligence and National Security rackets:
——————————————————————————————————
24-12-11(AM)02:31
Found the ‘folder options’ of the ‘organize’ menu in windows explorer permanently greyed out. Advised by search for the terms, plus the words ‘targeted individuals’ to use the Group Policy editor (gpedit.msc) to change the setting. It had not been set, and *I didn’t change any setting in it while I ran it*, but found all of the greyed options (not just the Folder options) suddenly restored, and a *massive* performance speed up at the same time – as is usual when the 21SAS girls have been burned.
Also have just noticed that the Java updater, which I had killed in the task manager, has (for the first time in my experience) just restarted itself.
A few moments later, I found several of the previously spontaneously re-enabled Explorer shell options re-disabled.
I have also noticed that all of the folders appear to have the ‘Read Only’ attribute set, and it remains set after unchecking the box and applying the change to all files and folders below – showing another attack strategy I have previously observed in the context of my router: That the user interface logic is decoupled by the attackers from the back-end operating system (in this case, the file system) – and the attackers’ filter software interposed between the two.
——
ntuser.dat.log1 hot switch registry copies to switch attacker’s software in and out as necessary to prevent detection:
I reset the folder options in my user account folder to show all files including hidden and system, and saw the file ntuser.dat.log1, as well as the usual ntuser.dat registry database file.
It made me wonder if the apparent ‘hot switching’ of the 21SAS Girlz filter and surveillance software is being done by flipping in and out registry shadow copies in real time, in response to my computer usage, in cases where my activity either discovers or risks discovering their surveillance software footprint.
To forensically undermine this exploit:
—————————————
1) Buy a bare-bones 2.5″ HDD-USB disk interface to enable laptop drives to be attached to another computer in offline mode for analysis during the following steps.
2) Buy two identical internal laptop drives, same make, model, hardware and firmware.
3) With one of the new drives installed, perform a clean install of the operating system on the laptop.
- Do not at any point register or otherwise connect the computer to the internet during or after the install, and take steps to physically prevent it happening.
- Make sure though that all hardware that will be available in normal operation is available during the install, so that the proper device drivers get loaded and hence do not attempt to install when the OS is first made live.
- Use a similar variant of your usual preferred user name for the default user account, and a good password which you have not used before. (If the username is too different from your usual choices, the attackers may suspect a trap).
4) Take an offline *sector* (rather than files only) disk image of the new operating system installed in step 3 on to the second of the two drives bought in step 2.
- Use a freshly installed OS on another computer, with appropriate disk imaging software (such as Norton Ghost) for this purpose.
- Make sure that the computer used to perform the disk image has never been left unattended in an empty property or connected to the internet, and is physically incapable of internet access.
5) Boot and run the sacrificial operating system, then connect it to the internet as a ‘honeypot’ for the attackers.
6) Allow the attackers to infiltrate – buffer overrun exploits, brute-force username/password cracks etc. will be tried – look for:
- sudden extensive disk activity
- noticable loss of operating system performance and responsiveness, hangs and event viewer errors from security devices (such as trusted platform modules)
- spontaneous start up of virus scanning software (which provides disk activity which can be used to cover the activity caused by the attackers installing their software)
- Small areas of display bitmap corruption, possibly indicating buffer overrun (code injection) exploits
- watch for the “<" (expand) systray arrow to appear, which (I have noticed) usually happens spontaneously when the attackers have managed to infiltrate successfully.
- A beep from a nearby surveillance vehicle car horn. This usually occurs when infiltration has been achieved.
- Other spontaneous OS behaviour changes (not listed for opsec reasons).
7) Take down the infiltrated operating system and create another offline (sector) image on the clean computer used for the purpose in step 4.
8) On the clean computer used in steps 4 and 7, and attach the drive images in read-only mode, preferably as disks in a virtualized PC environment.
9) Difference the disks at file level and sector level, and examine the results. Investigate any files that have appeared (even if they apparently are only non-executable).
10) Use an offline registry viewer for differencing if multiple (new) shadow registry files are found.
- Such files may not have MFT entries, but may still have the same signature and structure as the standard filetype they represent.
- Export all registry hives from each shadow copy, and difference the generated text files.
11) Treat unexplained new (non-file) data on the disk with suspicion, and look for the signature of hidden encrypted disks or files on the honeypot disk. Encrypted data can be profiled by the fact it usually has a high degree of entropy – a good indicator of this is that it does not compress well with winzip etc, although if it is not binary coded (say, it uses ASCII or BCD), this may not hold, although other methods can be used in these cases.
12) Note that as another level of cover, attackers may infiltrate during or after Windows Update has downloaded and installed updates to the newly installed honeypot operating system when it is first run (it is usual that Windows Update will try to do this at first boot).
- Since Windows Update will change multiple operating system files even in normal operation, any changes made by the attackers should they infiltrate successfully will be far harder to detect by differencing the clean/offline disk image made in step 4 with the hacked copy made in step 7.
- To manage this, Windows Update should be disabled before the OS has been first connected to the internet, or the OS should be installed from an installation source which has had all available updates slipstreamed from a *trusted source* prior to installation so that no updates will be downloaded or installed on booting.
13) Use your passive network tap (http://thnetos.files.wordpress.com/2008/02/tapdiagram.gif) to monitor and log traffic on your network from the sacrificial computer. Changes in network activity (particularly if they are not logged or reported by the OS) indicate infiltration.
14) Post findings on the internet!
—
04:05 – Google Chrome Bookmarks (star button next to URL) Most Recently Used List found reset after I completed this document. This indicates infiltration and redaction of bookmarks has occurred (this is not conjecture – I have verified by differencing that remote deletion of sensitive bookmarks has happened on many occasions).
(Update: Noticed a bug in this procedure – sorry – hopefully this will fix it):
Help for ‘Targeted Individuals’ targeted by feral Military Intelligence and National Security rackets:
——————————————————————————————————
24-12-11(AM)02:31
Found the ‘folder options’ of the ‘organize’ menu in windows explorer permanently greyed out. Advised by search for the terms, plus the words ‘targeted individuals’ to use the Group Policy editor (gpedit.msc) to change the setting. It had not been set, and *I didn’t change any setting in it while I ran it*, but found all of the greyed options (not just the Folder options) suddenly restored, and a *massive* performance speed up at the same time – as is usual when the 21SAS girls have been burned.
Also have just noticed that the Java updater, which I had killed in the task manager, has (for the first time in my experience) just restarted itself.
A few moments later, I found several of the previously spontaneously re-enabled Explorer shell options re-disabled.
I have also noticed that all of the folders appear to have the ‘Read Only’ attribute set, and it remains set after unchecking the box and applying the change to all files and folders below – showing another attack strategy I have previously observed in the context of my router: That the user interface logic is decoupled by the attackers from the back-end operating system (in this case, the file system) – and the attackers’ filter software interposed between the two.
——
ntuser.dat.log1 hot switch registry copies to switch attacker’s software in and out as necessary to prevent detection:
I reset the folder options in my user account folder to show all files including hidden and system, and saw the file ntuser.dat.log1, as well as the usual ntuser.dat registry database file.
It made me wonder if the apparent ‘hot switching’ of the 21SAS Girlz filter and surveillance software is being done by flipping in and out registry shadow copies in real time, in response to my computer usage, in cases where my activity either discovers or risks discovering their surveillance software footprint.
To forensically undermine this exploit:
—————————————
1) Buy a bare-bones 2.5″ HDD-USB disk interface to enable laptop drives to be attached to another computer in offline mode for analysis during the following steps.
2) Buy two identical internal laptop drives, same make, model, hardware and firmware.
3) With one of the new drives installed, perform a clean install of the operating system on the laptop.
- Do not at any point register or otherwise connect the computer to the internet during or after the install, and take steps to physically prevent it happening.
- Make sure though that all hardware that will be available in normal operation is available during the install, so that the proper device drivers get loaded and hence do not attempt to install when the OS is first made live.
- Use a similar variant of your usual preferred user name for the default user account, and a good password which you have not used before. (If the username is too different from your usual choices, the attackers may suspect a trap).
4) Take an offline *sector* (rather than files only) disk image of the new operating system installed in step 3 on to the second of the two drives bought in step 2.
- Use a freshly installed OS on another computer, with appropriate disk imaging software (such as Norton Ghost) for this purpose.
- Make sure that the computer used to perform the disk image has never been left unattended in an empty property or connected to the internet, and is physically incapable of internet access.
5) Boot and run the sacrificial operating system, then connect it to the internet as a ‘honeypot’ for the attackers.
6) Allow the attackers to infiltrate – buffer overrun exploits, brute-force username/password cracks etc. will be tried – look for:
- sudden extensive disk activity
- noticable loss of operating system performance and responsiveness, hangs and event viewer errors from security devices (such as trusted platform modules)
- spontaneous start up of virus scanning software (which provides disk activity which can be used to cover the activity caused by the attackers installing their software)
- Small areas of display bitmap corruption, possibly indicating buffer overrun (code injection) exploits
- watch for the “<" (expand) systray arrow to appear, which (I have noticed) usually happens spontaneously when the attackers have managed to infiltrate successfully.
- A beep from a nearby surveillance vehicle car horn. This usually occurs when infiltration has been achieved.
- Other spontaneous OS behaviour changes (not listed for opsec reasons).
7) You now have two disks: one which has been exposed to the attackers, and one which has not.
8) On the clean computer used in step 4, attach the two drives in read-only mode, preferably as disks in a virtualized PC environment.
9) Difference the disks at file level and sector level, and examine the results. Investigate any files that have appeared (even if they apparently are only non-executable).
10) Use an offline registry viewer for differencing if multiple (new) shadow registry files are found.
- Such files may not have MFT entries, but may still have the same signature and structure as the standard filetype they represent.
- Export all registry hives from each shadow copy, and difference the generated text files.
11) Treat unexplained new (non-file) data on the disk with suspicion, and look for the signature of hidden encrypted disks or files on the honeypot disk. Encrypted data can be profiled by the fact it usually has a high degree of entropy – a good indicator of this is that it does not compress well with winzip etc, although if it is not binary coded (say, it uses ASCII or BCD), this may not hold, although other methods can be used in these cases.
12) Note that as another level of cover, attackers may infiltrate during or after Windows Update has downloaded and installed updates to the newly installed honeypot operating system when it is first run (it is usual that Windows Update will try to do this at first boot).
- Since Windows Update will change multiple operating system files even in normal operation, any changes made by the attackers should they infiltrate successfully will be far harder to detect by differencing the clean/offline disk image made in step 4 with the hacked copy made in step 7.
- To manage this, Windows Update should be disabled before the OS has been first connected to the internet, or the OS should be installed from an installation source which has had all available updates slipstreamed from a *trusted source* prior to installation so that no updates will be downloaded or installed on booting.
13) Use your passive network tap (http://thnetos.files.wordpress.com/2008/02/tapdiagram.gif) to monitor and log traffic on your network from the sacrificial computer. Changes in network activity (particularly if they are not logged or reported by the OS) indicate infiltration.
14) Post findings on the internet!
—
04:05 – Google Chrome Bookmarks (star button next to URL) Most Recently Used List found reset after I completed this document. This indicates infiltration and redaction of bookmarks has occurred (this is not conjecture – I have verified by differencing that remote deletion of sensitive bookmarks has happened on many occasions).
did it. worked. thank you.
Greetings.
Please, post some solution for 1Gig network.
It’s really important to make some universal device for 10/100/1000 mbps, Full/Half duplex.
Thanx.