[The Real Slim Shady]

Alright, I was just going through and cleaning up some old documents when i came across this little gem. This could be quite useful in a number of scenario's... however its a bit dated.

Any one know or have experience on whether this works on more modern Windows operating systems to the likes of Windows 7 or 8?

Spoiler:

Stealthing IDS Servers on Windows 2000 Environment
by Benny T. <allegro16@hotmail.com>


Little is known about stealth modes of a NIC on a Windows 2000 system. To put it simply, stealth mode enables a network interface to run without an IP address, subnet mask and gateway. You may think that how in the hell a network interface operates without an IP address ?? This is indeed a unique feature in which the interface is still active (up) while cloaking itself with a NULL IP address.........hiding (stealthing) itself from the view/detection of the rest of the entire network. So, you won't be able to detect/connect to a host using a network interface in stealth mode. This means that if you do a ping or traceroute or just telnet to certain ports, it will just fail and you would assume that the host is down or there is no such host with that IP/hostname.

Stealth mode is extremely useful and effective if you have an IDS to deploy. Since the IDS doesn't normally need to interact/connect to other hosts, you can just put the NIC to stealth mode. All the IDS do is to just listen in promiscuous mode on the stealthed interface, which is still active. The definite advantage of this is that potential attackers or even normal users in an enterprise would not even notice that an IDS is secretly monitoring all traffic transmitting around the network. This would also prevent attackers from possibly taking down/compromising the IDS server itself. So, lets say an attacker managed to penetrate the firewall and masquerade in the internal network itself. He/she wouldn't even know that the stealthed IDS is monitoring all traffic he/she sends. This could be an effective way to establish a honeynet/honeypot within your enterprise.

An IDS which is in stealth mode is virtually impossible to be compromised/taken down. Perhaps the only way to compromise an IDS running in stealth NIC mode is when the IDS engine itself processes a bad packet, which then causes it to crash or just terminates. This could be due to flaws in the IDS engine itself.

To switch your network interface to stealth mode under Windows 2000, follow the steps below:
Obtain your NIC hex value, or the complete name of your NIC. If you are using Snort IDS, just do a simple snort –W to list all available interface. Each interface has a corresponding long hex value in its name. Obtain that hex value.
Open Regedit.exe or Regedt32.exe
Scroll down to:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX XXXXXXXXXXXX}

Where XXXXXXXX-XXXX-XXXX-XXXX XXXXXXXXXXXX is the hex value for the network interface that you’ve obtained. There will be several values in the key which are all the network settings for that particular interface.

Locate the IPAddress value (REG_MULTI_SZ) type and set it to NULL (Double click on the string, delete data in the Multi-String Editor, then click OK)
Locate the SubnetMask value (REG_MULTI_SZ) type and set it to NULL (Double click on the string, delete data in the Multi-String Editor, then click OK)
Locate the DefaultGateway value (REG_MULTI_SZ) type and set it to NULL (Double click on the string, delete data in the Multi-String Editor, then click OK)
Close the Registry Editor, your changes will be saved automatically.
Now disable your network interface using the network connections settings and enable it back.
If you do an IPconfig, you will not see the interface in the list coz it has a NULL IP, gateway and subnet mask. That means, it has 0.0.0.0 as the IP, subnet mask and gateway. The interface is in stealth mode !

The whole trouble with editing the registry settings instead of doing it in the TCP/IP properties is because Windows doesn’t allow you to specify the IP address as 0.0.0.0, which is certainly invalid. If you were to do this change via the TCP/IP properties, it will prompt an error message. That’s why you need a workaround, which is the registry. Be informed that it is highly advisable to backup your registry first before performing this settings change in case it gets screwed up.

An easier way in Windows 2000 is just to unbind TCP/IP from the NIC. On the network interface properties, uncheck TCP/IP from the list and click OK. Disable and Enable back the network interface and you have stealth mode !

Also, note that while in stealth mode, there is totally no network connectivity through the stealthed interface. That means, you can’t browse the net, telnet, ping, traceroute or any other network operations. But the interface is still running and active. And if you put a sniffer/IDS on the machine in promiscuous mode, you’ll still be able to capture all packets traveling on the network. So an IDS will still be able to do packet inspections on all captured packets from the stealthed interface, but no one will be able to see that your IDS is running coz it’s stealthed. Cool huh ??

For Snort, you have to specify the interface which is stealthed. Just issue the command like: snort –dev –i1 to sniff all traffic from interface 1. If your interface number is not 1, enter the correct interface number. Or you can put Snort into IDS mode, just adding the –i option.


Written by Benny T.
7 June 2003