Detecting sniffers with HSD

Posted on by

I am aware of two command line tools available ‘on the market’ that are free and can be used to detect sniffers:

  • promiscdetect.exe by Arne Vidstrom from ntsecurity.nu
  • promqry.exe from Microsoft.

The first one i.e. promiscdetect.exe detects promiscuous mode of network cards by enumerating the entries that can be found under the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

It does not ‘see’ all devices/interfaces.

The second tool is better – promqry.exe ‘sees’ all interfaces yet the tool requires .NET and is quite slow. It is understandable, because it is a .NET application and it ‘talks’ to WMI to retrieve the information it needs.

The very same concept that is used by promqry.exe can be implemented with a simple vbs script e.g.:


Set wmi = GetObject("winmgmts:\\.\root\WMI")
Set items = wmi.ExecQuery("SELECT * FROM MSNdis_CurrentPacketFilter", "WQL", 48)
For Each oneitem In items
if (oneitem.NdisCurrentPacketFilter And 32) then
WScript.Echo "InstanceName: " & oneitem.InstanceName
WScript.Echo "Promiscuous mode detected!"
end if
Next

You can then run such script with cscript.exe or wscript.exe.

Using wrappers is nice and easy, yet not everyone wants to run commands that may in the end trigger execution of other applications/services, and/or create extra Prefetch files, especially during volatile data acquisition.

Removing the wrappers and talking directly to devices to get their status on promiscuous mode is quite simple. As mentioned, what both .NET or VBS scripts really do is talking directly to WMI. Conceptually WMI must find the device names for each of the interfaces and send them some status requests, but well, who knows what is really going on under the hood there.

Luckily, many people have researched it before and we can assume that at some stage the enumerated devices are being sent a IOCTL_NDIS_QUERY_GLOBAL_STATS/OID_GEN_CURRENT_PACKET_FILTER request via DeviceIoControl API. If the returned value has a NDIS_PACKET_TYPE_PROMISCUOUS (0x20) bit on, it means the promiscuous mode for this particular device is enabled. Yes, it is that simple. While Microsoft says ‘This IOCTL will be deprecated in later operating system releases. You should use WMI interfaces to query miniport driver information. For more information see, NDIS Support for WMI.’, I don’t see any reason why we shouldn’t be using it until they actually do 🙂

So, how can we enumerate all interfaces?

We can certainly talk to devices listed under the NetworkCards key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

We can also talk to network devices listed under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

as explained 8 years ago here.

And this is precisely what Hexacorn Sniffer Detector (HSD) does. It is written in x86 asm, so it’s pretty small. It ‘encapsulates’ the functionality of promiscdetect.exe and promqry.exe as well as the technique described on SecurityFriday page.

Yes, it is slightly overengineered solution as the same device can be requested for status twice, but at least we have a certainty nothing is missed 🙂

To avoid noise, HSD reports only these devices that are in a promiscuous mode.

Last, but not least, there are other methods to enumerate interfaces – one can use GetIfTable/GetIfTable2/GetIfTableExAPI APIs. The problem is that the first one doesn’t enumerate all devices and the other ones are available on Vista+ only, so enumerating registry entries sounds like the best deal at the moment.

When you run HSD on a clean system, you should see something like this:

And with the active sniffer, you you should see the something along these lines:

You can download HSD here

Please let me know if you encounter any issues.