Re: Arp spoofing & dsniff

From: Sumit Dhar (dhar@dexponet.com)
Date: Tue May 07 2002 - 10:19:11 EDT

• Next message: John Smith: "DID Range Enumeration"
• Previous message: Sumit Dhar: "Using Dsniff Utilities"
• Maybe in reply to: Vs Metal: "Arp spoofing & dsniff"
• Next in thread: jsyn: "Re: Arp spoofing & dsniff"
• Reply: jsyn: "Re: Arp spoofing & dsniff"
• Reply: woof@droopy.2y.net: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> MAC duplicating makes sense if you also operate a DoS on the victim.
> However, this rather defeats the point :)

Somehow I have a feeling that the author is wrong when he says that "Mac
Duplicating is the way to go if you want to sniff the connection". Of the
three methods, I would rate it the crappiest. I feel, it would only cause
some kind of DOS attack against the victim which is the last thing you
want to do.

> As a side note, MAC flooding the switch has different results depending
> on the brand and model. In some cases, it is possible to force the
> switch to go back to hub mode.

And with that comes the performance loss. Yes, you can cause the switch
to go into failover mode, but if there are paranoid bastards around you,
one of the is bound to suspect the worst and investigate.. nah, we dont
want that do we?? *S*

> If the victim and the server are on the same switch, there's no need for
> a gateway, and the victim might not even have one. In that case, it
> should be enough to just spoof the server's address for the victim, and
> spoof the victim's address for the server.

Quite correct. Though I did mention towards the end of my mail that a
machine on the local network would be impervious to this kind of an
attack...

Also has anyone run arpspoof continiously for say something like 2-3
days?? I had some issues due to that... anyone else with similar
experience?

> > Once you have done that, you can use a tool like hunt to sniff the
> > connection. There are thousand other tools to do this job.. I just said
>
> If you're using arpspoof, chances are you also have dsniff installed on
> your box.

I am not sure whether dsniff allows you to hijack connections.. but hunt
does. I am sure that is one advantage of hunt over most other sniffers.
Yes if your aim is just to monitor, either can be used. These days I
have been playing around with lcrzoex.. which is pretty nifty too. :)

Cheers,
Dhar

PS: One of my friends asked me if there is a similar utility for
Windows. Are there (preferably free) ??

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: John Smith: "DID Range Enumeration"
• Previous message: Sumit Dhar: "Using Dsniff Utilities"
• Maybe in reply to: Vs Metal: "Arp spoofing & dsniff"
• Next in thread: jsyn: "Re: Arp spoofing & dsniff"
• Reply: jsyn: "Re: Arp spoofing & dsniff"
• Reply: woof@droopy.2y.net: "Re: Arp spoofing & dsniff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT