Security Basics mailing list archives
RE: switched n/w
From: Chris Cirullo <c_cirullo () sbcglobal net>
Date: Thu, 9 Dec 2004 10:06:12 -0800 (PST)
It is possible for an attacker to sniff and even modify transmissions on a switched network. This can be done through a man in the middle attack which is accomplished by poisoning the transmitting machine's arp cache(arp redirect...). Ethernet transmissions must have a source IP/MAC and a Destination IP/MAC. When your machine wants to transmit to a machine with a given IP address it needs to know the destination machine's MAC address. It either has this in its ARP cache or it needs to do an ARP request. What the attacker needs to do is trick the sending machine into using the attacker's MAC address when it fills in the destination MAC field of the ethernet header. If this happens it does not matter what the destination IP address is. All packets will be SWITCHED to the attacker's machine because ethernet switches operate strictly on MAC addresses and do not examine IP addresses. After the attacker receives the packets she can read/modify the data and forward them to the actual desired recipient. In this fashion the attacker plays man in the middle and does just about anything they want to the data. There are tools to help an attacker do this. What you need to do is look at the arp tables on the switch and the arp cache of the sending machine. Do a little sniffing. When the sending machine transmits, does the destination MAC address match the MAC address of the machine it is trying to send to? If not you have a problem. Check out a tool called arpwatch to help you notice arp spoofing on your network. Chris --- Rishi Pande <rpande () vt edu> wrote:
I am by no means any kind of a security expert. But there is a remarkable difference between sniffing on a network and actually manipulating the packets that are received the user. Also, the switched environment sniffing issue is one I have seen mentioned several times. Here's a link that may help you some http://www.surasoft.com/articles/packetsniffing.php In addition, you may just have a bad switch (hardware issue related) Also, is there any kind of evidence that this is being done in your internal network and not outside your network? That may be an issue you want to investigate. Good luck! Rishi -----Original Message----- From: kaushal [mailto:kaushal () rocsys com] Sent: Tuesday, December 07, 2004 1:30 PM To: security-basics () securityfocus com Subject: switched n/w Hi, Iam a bit new to network securities.We have a switched network and to my knowledge a hosts' data cannot be sniffed by other host by runnning tcpdump.But Iam receiving complaints from few users that their data is being changed/manipulated.Is this possible? How can I avoid this at the host level?Does this mean the server has been compromised?Any help or pointer in this aspect would be highly appreciated. thanks in advance. kaushal.
Current thread:
- switched n/w kaushal (Dec 07)
- RE: switched n/w David Gillett (Dec 08)
- Re: switched n/w the.soylent (Dec 08)
- RE: switched n/w Rishi Pande (Dec 08)
- RE: switched n/w Chris Cirullo (Dec 09)
- Re: switched n/w Rino Mardo (Dec 08)
- Message not available
- Re: switched n/w Gautam R. Singh (Dec 08)
- Re: switched n/w M. Shirk (Dec 09)
- Re: switched n/w Gautam R. Singh (Dec 08)
- Re: switched n/w Andreas Putzo (Dec 08)
- Re: switched n/w Alexander Klimov (Dec 08)
- Re: switched n/w Grim (Dec 08)
- Re: switched n/w Jacob Weeks (Dec 08)
- Re: switched n/w q q (Dec 09)
- Re: switched n/w easternerd (Dec 10)
- Re: switched n/w q q (Dec 09)
- Re: switched n/w xyberpix (Dec 09)