RE: switched n/w

[Chris Cirullo <c_cirullo () sbcglobal net>]

It is possible for an attacker to sniff and even
modify transmissions on a switched network.  This can
be done through a man in the middle attack which is
accomplished by poisoning the transmitting machine's
arp cache(arp redirect...).  Ethernet transmissions
must have a source IP/MAC and a Destination IP/MAC. 
When your machine wants to transmit to a machine with
a given IP address it needs to know the destination
machine's MAC address.  It either has this in its ARP
cache or it needs to do an ARP request.  What the
attacker needs to do is trick the sending machine into
using the attacker's MAC address when it fills in the
destination MAC field of the ethernet header.  If this
happens it does not matter what the destination IP
address is.  All packets will be SWITCHED to the
attacker's machine because ethernet switches operate
strictly on MAC addresses and do not examine IP
addresses.  After the attacker receives the packets
she can read/modify the data and forward them to the
actual desired recipient.  In this fashion the
attacker plays man in the middle and does just about
anything they want to the data.  There are tools to
help an attacker do this.  What you need to do is look
at the arp tables on the switch and the arp cache of
the sending machine.  Do a little sniffing.  When the
sending machine transmits, does the destination MAC
address match the MAC address of the machine it is
trying to send to?  If not you have a problem.  Check
out a tool called arpwatch to help you notice arp
spoofing on your network.

Chris
--- Rishi Pande <rpande () vt edu> wrote:

> I am by no means any kind of a security expert. But
> there is a remarkable
> difference between sniffing on a network and
> actually manipulating the
> packets that are received the user. 
> Also, the switched environment sniffing issue is one
> I have seen mentioned
> several times. Here's a link that may help you some
> http://www.surasoft.com/articles/packetsniffing.php
>
> In addition, you may just have a bad switch
> (hardware issue related) Also,
> is there any kind of evidence that this is being
> done in your internal
> network and not outside your network? That may be an
> issue you want to
> investigate. 
>
> Good luck!
>       Rishi
>
> -----Original Message-----
> From: kaushal [mailto:kaushal () rocsys com] 
> Sent: Tuesday, December 07, 2004 1:30 PM
> To: security-basics () securityfocus com
> Subject: switched n/w
>
> Hi,
>    Iam a bit new to network securities.We have a
> switched network and to
> my knowledge a hosts' data cannot be sniffed by
> other host by runnning
> tcpdump.But Iam receiving complaints from few users
> that their data is
> being changed/manipulated.Is this possible?
> How can I avoid this at the host level?Does this
> mean the server has
> been compromised?Any help or pointer in this aspect
> would be highly
> appreciated.
>
> thanks in advance.
>
> kaushal.