Snort mailing list archives
ARP poisoning and sniffing in a Switched Network
From: <CGhercoias () TWEC COM>
Date: Wed, 17 Dec 2003 14:16:38 -0500
Hello, Has anyone heard about Cain&Abel for Windows -- http://www.oxid.it/cain.html ? ...it has a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs by hijacking IP traffic of multiple hosts at the same time. The sniffer can also analyze encrypted protocols such as SSH-1 and HTTPS if used with APR (ARP Poisoning Routing) and a Man-in-the-middle situation... I tested it personally and it is impressive. You can sniff anything from anywhere within the same subnet, it can spoof any IP address and any MAC address. Is decrypting SSH sessions, telnet and HTTPS sessions. As far I can tell -- I don't want something like this in my corporate network! Is there any rule for snort to catch this kind of ARP (illegal) traffic? Assuming that I turn on 'Port Security' in all switches, the problem still remains if some disgruntled employee is installing it and is making use of a real IP and a real MAC address. Not saying that it can cause DOS in the network because of the ARP poisoning. As far as I know ARP is a stateless protocol that does not require any kind of authentication, so a simple ARP Reply packet sent to each host -- will force an update in their ARP Cache -- therefore ARP poisoning. Thank you, ___________________________ Catalin Ghercoias WEB/Network Security Administrator website: http://www.fye.com The content of this communication is classified as Trans World Entertainment Confidential and Proprietary Information. As such, it is intended solely for the use of the individual or entity to whom it is addressed and only others who are authorized to receive it. If you are not one of those, you are hereby notified that any disclosure, copying, distribution, or action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this communication and then deleting it from your system. ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ARP poisoning and sniffing in a Switched Network CGhercoias (Dec 17)
- Re: ARP poisoning and sniffing in a Switched Network twig les (Dec 17)