From: Liam Randall (lrandall@isa-inc.com)
Date: Tue Aug 09 2005 - 09:56:49 EDT
If you are testing against a live setup there are a couple of ARP spoofing issues you really need to be careful about- the ASICs in many older switches only support one global MAC address table. Attached is a post I made to INET in 4/21/2003 about this issue on HP 4000Ms; when I talked to the HP engineers about this they said their newer switches, specifically 4100gl's (and most others), will replicate traffic out to "both" ports that have the same MAC address. As noted below, in the firmware at the time you could even do this across VLANs!! I have no idea if they ever fixed this or not.
Just hate to see ya accidentally DOS the application.
Liam Randall
Network Engineer
<-- Looked for an online link to this thread but the archive only goes back to July of '03 --->
I learned this one the hard way: HP 4000m's only have one forwarding table per switch. To make sure were on the same page, I believe that what you are concerned about is this:
User on port A1 has MAC AA:AA:AA:AA:AA:AA
User on port B1 wants to sniff his traffic, so he crafts a packet, replies to an arp request, etc., that MAC AA:AA:AA:AA:AA:AA is on B1.
On a 4000m the traffic will now actually be rerouted so that it now _only_ goes out on port B1; even if they are on different VLANS!
On the plus side you won't miss that happening. You don't need to explicitly monitor for it, if it happens you'll know. The machine in question will seemingly disappear from the network, etc.; I'd explicitly watch SNMP if you're having problems w/ this now.
On the negative side this means that one hosted customer (or whatever your situation) can cause severe problems for another one.
If this does happen, on the 4000m it will 'flap' (I think that's the term for it), the ports back and forth as each port reports that it has MAC address AA:AA:AA:AA:AA:AA on it. A second level tech told me that he thought that it was a hardware limitation; however I don't know that for a fact. They may have fixed this in a recent firmware release; they did confirm that the most recent series of switches (5800's maybe?) supported multiple tables.
I ran into this error configuring the 'secret' options on a SonicWall Firewall ProVX; there is a hidden page that allows you to toggle whether the 'LAN' side and the 'WAN' side have the same MAC address. YMMV, however with the firmware that I was on at the time it defaulted to 'LAN MAC'='WAN MAC'. I used the device to 'bridge' between a public VLAN and a private VLAN; although I think I just explained why that might be a bad idea. :)
To be fair I have to point out that, besides this, these are great inexpensive modular managed switches. Full featured, easy to manage, configure, and monitor. HPs support on them has been top notch.
Thanks,
Liam G. Randall
Manager, Information Systems
Industrial Services of America
-----Original Message-----
From: Daniel J. Vance [mailto:techlists@rvi.net]
Sent: Friday, April 18, 2003 7:47 PM
To: inet access
Subject: arp poisoning/sniffing on network with HP 4000m --djv
Hi,
We are concerned that people can sniff on our network by poisoning the arp
cache. Aside from statically creating arp tables, what other defenses do we
have? I've read about mac binding, is that the same as port security? If
so, port security on the 4000m doesn't seem like it will limit arp spoofing.
I look forward to peoples input.
-Daniel
----------------------------------------------
Daniel J. Vance, CCNA | dvance@uci.net
Network Administrator | http://www.uci.net
541-472-0733 | UNICOM (ASN 14342)
-
Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
Eat sushi frequently. inet@inet-access.net is the human contact address.
-
Send 'unsubscribe' in the body to 'list-request@inet-access.net' to leave.
Eat sushi frequently. inet@inet-access.net is the human contact address.
<---- END PASTE ---->
-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Sunday, August 07, 2005 8:07 AM
To: Andres Molinetti
Cc: pen-test@securityfocus.com
Subject: Re: Redirecting traffic
Hello Andrés,
I wold say that if you ARP-spoof the client, you will be able to
perform a full man-in-the-middle attack betwee the client and the
server on Layer 2 (no layer 3 - routing, IP) changes needed.
An application like ettercap should be a good beginning for this. It
is really easy to use and you ca find plenty of doc just by googling.
Regards,
Rodrigo.
On 8/5/05, Andres Molinetti <andymolinetti@hotmail.com> wrote:
> I am pen-testing a client application and I 've found, analysing traffic
> dumps, that it seems to connect to a hardcoded internal IP and retrieve data
> from a strange port that is afterwards displayed in the application.
> I want to be able to redirect that traffic to another IP in order to test it
> for overflows and other issues.
> I have found a way to change the default gateway of the application's host.
> So I thought of setting my linux box as its gateway and using iptables to
> redirect the traffic to the other IP.
> I'm needing help with the building of the rules...
>
> Thks,
> Andy
>
> _________________________________________________________________
> Descubre la descarga digital con MSN Music. Más de medio millón de
> canciones. http://music.msn.es/
>
>
> ------------------------------------------------------------------------------
> FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
>
> Learn the hacker's secrets that compromise wireless LANs. Secure your
> WLAN by understanding these threats, available hacking tools and proven
> countermeasures. Defend your WLAN against man-in-the-Middle attacks and
> session hijacking, denial-of-service, rogue access points, identity
> thefts and MAC spoofing. Request your complimentary white paper at:
>
> http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:43 EDT