Security Basics mailing list archives

Re: Network sniffing on the wire - managed switches

From: "Jorge L. Vazquez" <jlvazquez825 () gmail com>
Date: Tue, 30 Dec 2008 14:14:40 -0500

the problem when doing and ARP poisoning between the Gateway and
everyone else is that you could cause a Denial of Services on the
network, specially when doing this with an average PC... I wouldn't
advice to poison the gateway and every single host in the network

just my two cents

thanks
-JV
www.pctechtips.org



gmail wrote:

I think you mean the router not the switch. You want to arp poison the

network to think you are the router. Need to watch doing everything here
though. To accomplish this you need to send the packet on after it comes
to you. So your port needs twice the bandwidth. You really need to look
at the network layout and only hijack the ports you want. If you do
everything, you have a good chance of slowdown network traffic and this
could lead to someone investigating the traffic patterns.


Good tools for this is dsniff, a little complicated though. Easier tool

is Cain & Able, but windows only.



On Dec 30, 2008, at 8:54 AM, ArcSighter Elite wrote:

Kurt Buff wrote:

There's probably better ways of doing it now, but it used to be true
that you could flood the switch with MAC addresses, overwhelming the
arp table. This would have the effect of turning the switch into a
hub.

See this link, for one description:

http://www.watchguard.com/infocenter/editorial/135324.asp

On Fri, Dec 26, 2008 at 11:10 AM, Tom Yarrish <tom () yarrish com> wrote:

Hey all,
This may come off as somewhat of a newbie question, but it's one

I've been

curious about.

When you are doing any sort of pen testing or sniffing on the

wire, how do

you handle a managed switch scenario.  If you're connected to a

switch on

one port, how can you monitor the traffic on the the other ports

if you're

not in a monitor mode?  I've never understood how you can sniff

traffic

other than the traffic from your machine to a destination.

Thanks ahead of time,
Tom


I just said, first ARP poison the entire network to think you're the
switch. Second, do a flooding attack into the switch itself. Don't
resort in a single piece of software (although I use ettercap/nemesis
too), until you truly understand the whys and hows of the technique.

Sincerely.

Current thread:

Re: Network sniffing on the wire - managed switches, (continued)
- Re: Network sniffing on the wire - managed switches Calvin Maready (Dec 29)
- Re: Network sniffing on the wire - managed switches Preston Connors (Dec 29)
- Re: Network sniffing on the wire - managed switches ArcSighter Elite (Dec 29)
- Re: Network sniffing on the wire - managed switches Jorge L. Vazquez (Dec 29)
- RE: Network sniffing on the wire - managed switches Burton Strauss III (Dec 29)
  - RE: Network sniffing on the wire - managed switches Rui Pereira (WCG) (Dec 30)
  - Re: Network sniffing on the wire - managed switches Tom Yarrish (Dec 30)
- Re: Network sniffing on the wire - managed switches Kurt Buff (Dec 29)
  - Re: Network sniffing on the wire - managed switches ArcSighter Elite (Dec 30)
    - Re: Network sniffing on the wire - managed switches gmail (Dec 30)
    - Re: Network sniffing on the wire - managed switches Jorge L. Vazquez (Dec 30)
    - DNS Paper Craig Wright (Dec 30)
- RE: Network sniffing on the wire - managed switches David Gillett (Dec 30)