Re: switched n/w

[miguel.dilaj () pharma novartis com]

Hi kaushal,

It's highly possible to sniff in switched networks (except in some 
particularly paranoid switch configurations) using a technique named "ARP 
poisoning" or "ARP spoofing".
Basically the idea on how a switch operates is by constructing a table of 
IP address vs MAC address, and sending the arriving packets to the NIC 
with the corresponding MAC address.
If you can "poison" that table with fake data, telling the switch that 
YOUR machine has ALL the MAC addresses (or any or them at your pleasure) 
you can fool the switch into directing the traffic to your host. Then you 
can sniff/intercept/modify it, and forward it later to the proper host.
The technique is described in the documentation of Arp0c by Phenoelit 
that, by the way, is a tool to do ARP spoofing (the successful sucessor of 
WCI).
Arp0c can be found at Phenoelit's site: http://www.phenoelit.de/arpoc/
If you look for "ARP spoofing" you'll find plenty of resources, 
information and tools on this subject.
Instead of trying to avoid it at the host level, try to address it at the 
network level, because at the end it is a network issue.
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG






kaushal <kaushal () rocsys com>
07/12/2004 18:30

 
        To:     security-basics () securityfocus com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        switched n/w


Hi,
   Iam a bit new to network securities.We have a switched network and to
my knowledge a hosts' data cannot be sniffed by other host by runnning
tcpdump.But Iam receiving complaints from few users that their data is
being changed/manipulated.Is this possible?
How can I avoid this at the host level?Does this mean the server has
been compromised?Any help or pointer in this aspect would be highly
appreciated.

thanks in advance.

kaushal.