Re: Arp spoofing & dsniff

From: Sumit Dhar (dhar@dexponet.com)
Date: Tue May 07 2002 - 07:23:03 EDT

• Next message: Sumit Dhar: "Using Dsniff Utilities"
• Previous message: Ryan Russell: "Re: Arp spoofing & dsniff"
• In reply to: kumar mahadevan: "Re: Arp spoofing & dsniff"
• Next in thread: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm
> Which says, that there are 3 ways to sniff on swicthed networks.
> 1. ARP spoofing.
> 2. MAC flooding.
> 3. MAC Duplicating.

I had read that article some time back. The options 1 and 2 make sense
but 3 somehow doesnt seem to. Honestly speaking I wouldn't try MAC
flooding too often. It might not be worth it. If you just want to see
how your network behaves fine, but if you really want to sniff MAC
flooding can cause a real problem on the network in terms of
performance.

Also I personally wouldn't ARP spoof the whole network. It is possible
that there are some servers on the network which hold sensitive
information and might be running programs like arpwatch. No sense
triggering them off if all you want to do is capture data flowing from
machine A to machine B. Why not just arpspoof these machines.

When you try MAC duplicating, then you will both start competing for the
data on the switch. Also by duplicating the victims MAC, you cannot
capture the data he is sending. Let me explain this a little:

A: The victim's Machine.
B: The machine with which victim is communicating.
C: You
D: Gateway

If the victim is communicating with B, what is happening is as follows:

I) A --> B Packets flowing from A to B
II) B --> A Some packets flowing from B to A

Now you are spoofing A's MAC. You only get packets shown by II in the
diagram. I am sure a 50% solution is not what you are seeking? :)

> numer 3 is "supposed to be the easiest" since one just
> changes to the NIC. Also according to this article
> there is no need to ARP Spoof, if using MAC
> Duplicating.

That sounds like crap!

> -----> how do I now get Telnet sessions originating
> from the victim to destination servers:23

You are on a switched network right? Use arpspoof to spoof the gateway.

        arpspoof -t A D

where A is the IP address of the victim and D is the IP of the gateway.

Enable IP forwarding.

Once you have done that, you can use a tool like hunt to sniff the
connection. There are thousand other tools to do this job.. I just said
the first one that came to mind. (Oh, hunt also allows you to hijack
sessions. That is another advantage)

Remember a local network connection which doesnt use the gateway will be
impervious to this attack.

Cheers,
<a href=http://dhar.homelinux.com/dhar/>Sumit Dhar</a>
Manager, Research and Product Development,
SLMsoft.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Sumit Dhar: "Using Dsniff Utilities"
• Previous message: Ryan Russell: "Re: Arp spoofing & dsniff"
• In reply to: kumar mahadevan: "Re: Arp spoofing & dsniff"
• Next in thread: Sumit Dhar: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT