

Stealthy Passive Spliced Network Tap - dryicerx
http://www.janitha.com/archives/146

======
tptacek
I am surprised at how good this post is, given the topic. Something corporate
security consultants become painfully aware of very quickly: it is startlingly
easy to compromise the physical network of a huge company, and, having done
so, an attacker has essentially limitless access to the victim's business
processes.

The notion that a network team would actually use a TDR to find passive
spliced taps on their network --- or, for that matter, even take the time to
spot unexpected 802.11 wireless activity --- is laughable. Pick any company in
the Fortune 100. Put on a dress shirt and a tie. Follow someone with a
proxcard in through the side door after their smoke break. You will have their
mainframe batch apps for months or years afterwards.

~~~
joshu
TDR?

~~~
dryicerx
Time Domain Reflectometer

------
dnewcome
Shouldn't it be possible to do an inductive tap? You should be able to pick
the signals up without severing any wires or actually connecting anything to
the wires themselves. You would have to split the outer jacket of the cat5
cable, but once you isolate the pairs you should be able to get something
going. The pairs are differential loops, so you should need only one inductive
pickup per pair. Just an idea, not sure how feasible it would be, but I would
have thought that this would be a standard way to do a tap. You'd need power
for this though, so maybe that limits its usefulness. Could use PoE to power
it though.

~~~
robotrout
They're not differential pairs for no reason. They're differential pairs
because they need to be, to keep the signal integrity at the edge rates needed
for that bandwidth at those distances.

The system is not that over-engineered, that you can throw away a bunch of the
engineering and still have a working link. To look at a single line on a scope
is often to see almost no signal at all. It's all noise. Only by looking at
the signal differentially, does the data appear.

As for inductive coupling. Even if you used the entire differential signal,
you still will fail, I think. The currents are quite low, which means your
inductive pickup will need to be extremely sensitive. So sensitive, that I
would anticipate the system noise of your inductive pickup to be on the same
level as the signal you're trying to read, resulting in too much misread data
to do anything with.

Plus, it's not worth it. There's no way to tell that another high impedance
device has been added to the system, It won't change the impedance that some
hypothetical tamper detection system would be able to measure, in any
measurable way, so why not just add it using a direct connection?

~~~
dnewcome
Looking at one side of a balanced transmission line is not really very useful
on a scope since there is no reference that is meaningful other than the other
side of the line. Of course there would be lots of noise looking at only one
side, since the whole idea of a twisted pair line is to take advantage of
common-mode noise rejection at the receiving end.

Thinking about things more, you'd need to do the same common mode rejection in
the tap in order to not be overwhelmed by line noise, necessitating the use of
two pickups per pair. Careful physical design could allow a very sensitive
pickup to be designed while canceling noise common to both. However, as you
pointed out, low current could make things impossible still. But... the line
is driving an inductive coupling in the form of a transformer at the end in
order for things to work in normal operation though, so instinctively I think
that something could be made to work.

As for not being worth it, you are probably right, especially since both
approaches could be detected with the proper equipment.

------
jf
An old coworker of mine wanted to use a tap like this to set up a secondary
tamper-resistant syslog server alongside our central syslog server.

The secondary syslog server would only be connected to the "receive" pair of
the primary syslog server and therefore only physically able to receive data -
making it difficult to tamper with logs.

~~~
dryicerx
You could, but for a _legit_ purpose such a logging traffic on a network,
doing a tap like this is not the best way to go. Use a switch with a SPAN
port, or alternatively there are commercial taps (for example from NetOptics)
that does exactly what you want... just in a much nicer/cleaner/proper way.

------
wallflower
Reminds me of this story that surfaced around the time of the AT&T vandals

> Within minutes of cutting the cable, three black SUV’s pulled up carrying
> men in suits who complained that their line was severed.

“The construction manager was shocked,” a worker told the Washington Post. “He
had never seen a line get cut and people show up within seconds. Usually
you’ve got to figure out whose line it is. To garner that kind of response
that quickly was amazing.”

AT&T crews arrived the same day to fix the line, an unusually prompt response.

<http://www.wired.com/threatlevel/2009/06/blackline/>

------
colbyolson
What a cool, brief but informative, post. I want to try it out now!

------
oz
Some firewalls, like the open-source, FreeBSD based pfSense can operate in
bridge mode, and thus not addressable via IP.

------
tdmackey
I approve of this article. ;)

