Would the malicious user be able to tell when the administrator was using Netmon?
He would be able to tell if the administrator was using the full version of Netmon, as it transmits a multicast packet when it puts the network interface into promiscuous mode. The malicious user would just need to write an application that watched for the multicast packet and recorded what machine transmitted it. It would be more difficult for the malicious user to determine whether someone was running Netmon Lite, as it doesn’t put the network interface into promiscuous mode, and as a result doesn’t send a multicast packet. Netmon Lite does provide one way to tell if it’s running – if another machine is running Netmon Lite, it can send a query to determine whether any other machines on the same network segment are also running it. This means that the malicious user could determine if someone was running Netmon Lite, but only if he already had administrative control of a server on the same network segment as the administrator.
Related Questions
- Would the malicious user need to send the malformed frame directly to the machine that was running Netmon, or could he just put it onto the network segment?
- If the vulnerability were exploited to cause the malicious users code to run on the administrators machine, what could it do?
- Would this vulnerability enable a malicious user to attack the administrator the moment he began monitoring the network?
