Penetration Testing mailing list archives

Re: Arp spoofing & dsniff

From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 May 2002 15:21:45 -0600 (MDT)

On Mon, 6 May 2002, kumar mahadevan wrote:

    1. ARP spoofing.
    2. MAC flooding.
    3. MAC Duplicating.

number 2 is not an option.
number 1 is ok except I did not want risk breaking
Network connectivity even after enabling IP
Forwarding.


You take just about as much chance of breaking connectivity with number 3
as you do with number 1, it depends on the switch.  BTW, do you know what
brand of switch you're dealing with?  Software rev?

numer 3 is "supposed to be the easiest" since one just
changes to the NIC. Also according to this article
there is no need to ARP Spoof, if using MAC
Duplicating.

----->    Hence, back to the original question:
Even though your answer makes sense as well (although
the victim computer has lost NO connectivity yet. The
victim whose MAC address I have duplicated on my RH 7
box has full network connectivity, still)


When you duplicate someone's MAC address, you're essentially trying to
fool the switch into thinking that you're the machine you're trying to
monitor, and get the switch to forward the traffic to you.  Some switched
only allow a MAC address to be on one port (or sometimes one port within a
VLAN.)  If that's the case, then you will get your victim's traffic, and
it won't.  Some switches will send the traffic to both places (the only
real situation where this will work the way you want.)

Keep in mind that for a switch to even begin to think that the machine has
changed ports, you must transmit something with that MAC address as the
layer 2 source address.  ARPs would be fine, but it can be anything.  So,
to try this out, you have to change your MAC AND start transmitting.  But,
you should plan on the victim being cut off unless you've been able to
determine how your switch will react.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Arp spoofing & dsniff Vs Metal (May 05)
- Re: Arp spoofing & dsniff Michael Thumann (May 05)
- Re: Arp spoofing & dsniff Daniel Polombo (May 06)
  - Re: Arp spoofing & dsniff kumar mahadevan (May 06)
    - Re: Arp spoofing & dsniff Ryan Russell (May 06)
    - Re: Arp spoofing & dsniff kumar mahadevan (May 06)
    - Re: Arp spoofing & dsniff Ryan Russell (May 06)
    - Re: Arp spoofing & dsniff Sumit Dhar (May 07)
  - Re: Arp spoofing & dsniff Sumit Dhar (May 06)
  - Re: Arp spoofing & dsniff The D (May 10)
- Re: Arp spoofing & dsniff Iván Arce (May 09)
- <Possible follow-ups>
- Re: Arp spoofing & dsniff Sumit Dhar (May 07)
  - Re: Arp spoofing & dsniff jsyn (May 09)
  - Re: Arp spoofing & dsniff woof (May 13)
- Re: Arp spoofing & dsniff miguel . dilaj (May 09)
  - Re: Arp spoofing & dsniff Arturo "Buanzo" Busleiman (May 10)
    - Re: Arp spoofing & dsniff Sumit Dhar (May 13)

(Thread continues...)