Re: Arp spoofing & dsniff

From: kumar mahadevan (kumar_mahadevan_6@yahoo.ca)
Date: Mon May 06 2002 - 16:24:33 EDT

• Next message: Emerson: "Packetstorm archive warning: 73501867, PHP exploit binary code found to be virus distribution vector for Linux.Jac.8759."
• Previous message: Ryan Russell: "Re: Arp spoofing & dsniff"
• In reply to: Ryan Russell: "Re: Arp spoofing & dsniff"
• Next in thread: Ryan Russell: "Re: Arp spoofing & dsniff"
• Reply: Ryan Russell: "Re: Arp spoofing & dsniff"
• Reply: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

thanks for the reply.

I am new to this so purely going by the theory on
SANS.
http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm

Which says, that there are 3 ways to sniff on swicthed
networks.

    1. ARP spoofing.
    2. MAC flooding.
    3. MAC Duplicating.

number 2 is not an option.
number 1 is ok except I did not want risk breaking
Network connectivity even after enabling IP
Forwarding.

numer 3 is "supposed to be the easiest" since one just
changes to the NIC. Also according to this article
there is no need to ARP Spoof, if using MAC
Duplicating.

-----> Hence, back to the original question:
Even though your answer makes sense as well (although
the victim computer has lost NO connectivity yet. The
victim whose MAC address I have duplicated on my RH 7
box has full network connectivity, still)

-----> how do I now get Telnet sessions originating
from the victim to destination servers:23
    

thanks again

kumar.

--- Ryan Russell <ryan@securityfocus.com> wrote:
> On Mon, 6 May 2002, kumar mahadevan wrote:
>
> > If I am on a Switched network and I change my MAC
> > address on my RH 7 box to the victim's (using
> > IFCONFIG). Now, how do I capture say for e.g
> Telnet
> > sessions between the victim and a server running
> > telnet service.
>
> If you change your MAC address to be that of the
> victim (the box in the
> same broadcast domain as your attacking machine)
> then you will be fighting
> the victim for control of the MAC address in the
> switch. The switch will
> alternately think that that MAC address is in one
> port, then another, as
> frames come in with that as a source address. In
> general, you'll just
> make the victim unable to communicate, and yuo won't
> be able to monitor
> most of the traffic.
>
> >
> > I don't want to ARP cache poison nor MAC flood
> the
> > switch.
>
> Then your best bet is to poison the ARP cache on the
> victim, to make it
> think you're the other box, or the router.
> Configure your box to forward
> the packets so you don't break the communications.
>
>
> Ryan
>

______________________________________________________________________
Games, Movies, Music & Sports! http://entertainment.yahoo.ca

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Emerson: "Packetstorm archive warning: 73501867, PHP exploit binary code found to be virus distribution vector for Linux.Jac.8759."
• Previous message: Ryan Russell: "Re: Arp spoofing & dsniff"
• In reply to: Ryan Russell: "Re: Arp spoofing & dsniff"
• Next in thread: Ryan Russell: "Re: Arp spoofing & dsniff"
• Reply: Ryan Russell: "Re: Arp spoofing & dsniff"
• Reply: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT