Sniffing using
Traditional RootKit
¨Includes a sniffer that captures and writes into a file the first several characters of all sessions
–Good for capturing userid/passwords in ftp, telnet, and login sessions
¨Ifconfig on most Unix systems (except Solaris) will indicate whether NIC is in promiscuous mode
¨Facilitates hiding of sniffer by including a trojanized  ifconfig that lies about PROMISC flag
¨