Re: Arp spoofing & dsniff

From: Ryan Russell (ryan@securityfocus.com)
Date: Mon May 06 2002 - 17:21:45 EDT

• Next message: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Previous message: Emerson: "Packetstorm archive warning: 73501867, PHP exploit binary code found to be virus distribution vector for Linux.Jac.8759."
• In reply to: kumar mahadevan: "Re: Arp spoofing & dsniff"
• Next in thread: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, 6 May 2002, kumar mahadevan wrote:

> 1. ARP spoofing.
> 2. MAC flooding.
> 3. MAC Duplicating.
>
> number 2 is not an option.
> number 1 is ok except I did not want risk breaking
> Network connectivity even after enabling IP
> Forwarding.

You take just about as much chance of breaking connectivity with number 3
as you do with number 1, it depends on the switch. BTW, do you know what
brand of switch you're dealing with? Software rev?

> numer 3 is "supposed to be the easiest" since one just
> changes to the NIC. Also according to this article
> there is no need to ARP Spoof, if using MAC
> Duplicating.
>
> -----> Hence, back to the original question:
> Even though your answer makes sense as well (although
> the victim computer has lost NO connectivity yet. The
> victim whose MAC address I have duplicated on my RH 7
> box has full network connectivity, still)

When you duplicate someone's MAC address, you're essentially trying to
fool the switch into thinking that you're the machine you're trying to
monitor, and get the switch to forward the traffic to you. Some switched
only allow a MAC address to be on one port (or sometimes one port within a
VLAN.) If that's the case, then you will get your victim's traffic, and
it won't. Some switches will send the traffic to both places (the only
real situation where this will work the way you want.)

Keep in mind that for a switch to even begin to think that the machine has
changed ports, you must transmit something with that MAC address as the
layer 2 source address. ARPs would be fine, but it can be anything. So,
to try this out, you have to change your MAC AND start transmitting. But,
you should plan on the victim being cut off unless you've been able to
determine how your switch will react.

                                        Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Previous message: Emerson: "Packetstorm archive warning: 73501867, PHP exploit binary code found to be virus distribution vector for Linux.Jac.8759."
• In reply to: kumar mahadevan: "Re: Arp spoofing & dsniff"
• Next in thread: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT