From: Evans, Arian (Arian.Evans@fishnetsecurity.com)
Date: Mon Oct 31 2005 - 14:52:10 EST
So in summary:
1. Read the post below (great summary).
2. Use dsniff, Ettercap (still under active
development, unlike dsniff), or Cain & Able
(runs on windows) to execute arp-cache poisoning
or mac-spoofing attacks.
3. Most vendors support a function as mentioned
below, usually called a /span or /mirror port,
that you can use to span a switch port, vlan,
or even the entire traffic of a switch backplane.
-ae
> -----Original Message-----
> From: Volker Tanger [mailto:vtlists@wyae.de]
> Sent: Saturday, October 29, 2005 5:48 AM
> To: pen-test@securityfocus.com
> Subject: Re: Sniffing on a switch
>
>
> Greetings!
>
> On Thu, 27 Oct 2005 19:55:04 -0700
> "Andy Meyers" <andy.meyers@hushmail.com> wrote:
>
> > Now i know people say you "cant" sniff on a switch and I know about
> > ARP poisoning and MAC flooding. But there has to be another way. I
> > have heard too many stories about "he sniffed my AIM
> conversation on a
> > Cisco switch" (an example is in the most recent version of
> 2600). Does
> > anyone know of any technique how to do this? Can you ARP poison a
> > switch?
>
> On many managable (enterprise) switches often have a sniffing/mirror
> port where you can configure from which switch port(s) you want all
> traffic to be mirrored to this mirror port.
>
> And yes, all unprotected switches can be subjected to ARP
> poisoning. But
> (again) many manageable switches can be configured with preventive
> measures:
>
> - static/manual MAC/port mapping
>
> - automatic one-time MAC/port config: the very first MAC/port
> combination seen is taken as semi-static entry, all others
> are dropped.
>
> - limiting number of MAC addresses per port allowed
> (which helps against rogue switches and router, too)
>
> For all you need the help of the switch admins. So no help if you want
> to guard yourself against "evil" switchmasters... ;-)
>
> Bye
>
> Volker
>
>
> --
>
> Volker Tanger http://www.wyae.de/volker.tanger/
> --------------------------------------------------
> vtlists@wyae.de PGP Fingerprint
> 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your
> website. Up to 75% of cyber attacks are launched on shopping
> carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:07 EDT