IP Address Scanning | Ports | TTY Watcher | RotoRouter | Industrial Programs | IP Watcher | EtherPeek | Intruders

IP-Watcher, written by Mike Neuman, president of En Garde Systems (http://www.engarde.com/) is in some ways an even more powerful tool for putting computer criminals behind bars. Neuman has worked closely with several customers to get arrests and convictions of these destructive intruders. This gives him the real-world experience needed to design a tool that will gather evidence that will stand up in court. While gathering evidence, IP-Watcher has the power to protect your network by letting you hijack the attacker's IP session. You can secretly divert the attacker into a "jail" computer where he or she will think they are still at the IP address of the computer they originally broke into. If it turns out this is a malicious intruder, you can record his or her activities in order to prove criminal intent, while not risking anything outside the jail computer.

    This software was written, according to Neuman, with "our philosophy of manual intrusion detection ... based on the fact that an intruder must establish connections with other computers to accomplish his or her goal. These connections are an intruder's footprints, and the best way to catch the   intruder is to have an advanced visualization of those footprints."

    The Windows version of IP-Watcher, T-sight, is, according to Neuman, even more advanced than IP-Watcher. Like EtherPeek, Neuman's products have an option to page you when they detect that someone has broken in.

    IP-Watcher would be a deadly tool in the hands of criminals. In order to prevent its abuse, En Garde Systems will only sell your copy of the software pre-compiled for your particular network on which you plan to run it, and enabled to only sniff and control IP sessions on your LAN. Neuman points out a number of ways IP-Watcher can be abused:

• IP-Watcher can create network traffic with spoofed source and destination addresses. This makes it possible to kill any user's connection. While this is essential for stopping attackers, it also could be used to deny access to a legitimate user.
• When IP-Watcher terminates a user's connection while trying to log in, it looks to the user like the network merely had a fault. Normally the user will try to log in again, at which point IP-Watcher can divert his connection so that it steals the user's password.
• If a sysadmin uses the "su" command to enter a root account, IP-Watcher will sniff the cleartext password through its ability to log keystrokes.
• This software also can be set to log what it sniffs in many small files. This is useful because it makes it hard for an intruder to edit log files. However, if IP-Watcher is in the hands of an attacker, this feature prevents the sysadmin from discovering a hidden sniffer by the technique of looking for unexplained large files.
• Even one-time password systems are vulnerable to IP-Watcher. It can be used to hijack a connection by a trusted user. While the user is going about his or her business, the intruder can be secretly using the same connection to install back doors.

 

---

You can go to jail warning: Computer criminals may be tempted to attempt to break into the En Garde Systems' LAN in hopes of stealing the source code for T-sight and IP-Watcher. This is probably the best place to go if one sincerely wants to get convicted of a computer crime.
 

---

Conclusion

    Self defense against computer criminals is a topic hat has long been neglected. This is because you have to think like an attacker and be intimately familiar with his or her tools and tactics. However, many systems administrators rely solely on commercial computer security products to keep the bad guys out. The problem is: no firewall is perfect!

    By contrast, if you use some of the software and techniques of this chapter to watch for and battle intruders, you have a fighting chance even if your firewall fails to stop the bad guys. Also, it can be fun to detect and fight your attackers. Be sure to save those TTY-Watcher logs so you can play back your latest hacker battle at parties!