Stealthy Passive Spliced Network Tap

I am surprised at how good this post is, given the topic. Something corporate security consultants become painfully aware of very quickly: it is startlingly easy to compromise the physical network of a huge company, and, having done so, an attacker has essentially limitless access to the victim's business processes.<p>The notion that a network team would actually use a TDR to find passive spliced taps on their network --- or, for that matter, even take the time to spot unexpected 802.11 wireless activity --- is laughable. Pick any company in the Fortune 100. Put on a dress shirt and a tie. Follow someone with a proxcard in through the side door after their smoke break. You will have their mainframe batch apps for months or years afterwards.

Shouldn't it be possible to do an inductive tap? You should be able to pick the signals up without severing any wires or actually connecting anything to the wires themselves. You would have to split the outer jacket of the cat5 cable, but once you isolate the pairs you should be able to get something going. The pairs are differential loops, so you should need only one inductive pickup per pair. Just an idea, not sure how feasible it would be, but I would have thought that this would be a standard way to do a tap. You'd need power for this though, so maybe that limits its usefulness. Could use PoE to power it though.

An old coworker of mine wanted to use a tap like this to set up a secondary tamper-resistant syslog server alongside our central syslog server.<p>The secondary syslog server would only be connected to the "receive" pair of the primary syslog server and therefore only physically able to receive data - making it difficult to tamper with logs.

Reminds me of this story that surfaced around the time of the AT&#38;T vandals<p>&#62; Within minutes of cutting the cable, three black SUV’s pulled up carrying men in suits who complained that their line was severed.<p>“The construction manager was shocked,” a worker told the Washington Post. “He had never seen a line get cut and people show up within seconds. Usually you’ve got to figure out whose line it is. To garner that kind of response that quickly was amazing.”<p>AT&#38;T crews arrived the same day to fix the line, an unusually prompt response.<p><a href="http://www.wired.com/threatlevel/2009/06/blackline/" rel="nofollow">http://www.wired.com/threatlevel/2009/06/blackline/</a>

What a cool, brief but informative, post. I want to try it out now!

Some firewalls, like the open-source, FreeBSD based pfSense can operate in bridge mode, and thus not addressable via IP.

I approve of this article. ;)