AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18

[Meidinger Christopher <christopher.meidinger () badenIT de>]

Hi Dave,

google can probably give you a more complete answer, but the gist of it is
this:

An (old school) non-switched network worked on the star principle. Every
packet is delivered everywhere in a subnet and each machine grabs the
packets that are for it. Thus, promiscuous mode is what tells a network
interface to not just grab the packets that are intended for that maching,
but to grab everything. You can test this on a hub, just put 4 machines on a
hub, make them talk a bit, and sniff with one of them. You will see that
they all can see the communications intended for each other machine on that
segment.

A modern switched network directs the packets so that each switch only
delivers the packets to each machine that are intended for that specific
machine. That means that if i sniff on an interface connected to a switch, i
only see packets intended for my machine, and any broadcasts on my segment.
(Routers should [almost] never forward broadcasts.) Test this by sniffing on
any switch, and you will only get your own traffic and broadcasts.
Broadcasts look like packets addressed to either ff.ff.ff.ff.ff.ff or
SUB.NET.255.255 (depending where you are you may see multicasts to 224.x.x.x
addresses as well but that is out of the scope of this answer.)

NOW, you ask yourself how can i sniff on a switched network if all i get is
stuff for me?

The answer is, you have to lie to the other machines telling them that you
are either their gateway, or that you are the machines that they want to
talk to. The technical details are out of the scope of this paper, but you
essentially get messages destined for other IP addresses delivered to your
MAC address and then send them yourself to the the real MAC address that
belongs to dst host after keeping a copy of the packet for yourself. This
takes a certain amount of skill (though not that much with automated tools,
see below) to do, but it is not beyond a novice.

So that is why it is harder. Now for the portion of the question you forgot
to ask: can i try this at home? Will anything bad happen if i do?

Sure, get a copy of dsniff (www.monkey.org/TILDEdugsong/dsniff.html --
replace the TILDE with a tilde symbol, my keyboard is busted and i can't
type it ATM) or a copy of ettercap (i think its on sourceforge, do a google
search -- try www.google.com/linux) read the manuals and start them up
sniffing. 

Yes, you should do this in a test network. This kind of activity is fairly
easy for an Intrusion Detection System to pick up, assuming it has a sensor
on the local segment. So you can get in trouble with your network admins.
There is no explanation for the network traffic this will create except
hacking / security testing. Also, if you make a mistake, you can easily put
your entire network segment out of commission (imaginge you claim to be the
gateway, and then forward the traffic to /dev/null instead of to the real
gateway) with a small mistake, which will most likely get you kicked of the
network.

DISCLAIMER: This is an (exaustive) answer to the question asked, not a guide
on how to sniff on switched networks. Before you do anything read all the
man pages and howtos you can and be sure that you know what you are doing.
If your network admin comes into your office with a shotgun in his hands and
death in his eyes, you alone are responsible.

If i was wrong on any technical point please email me and the list with
corrections. 

badenIT GmbH
System Support Workstation
 
Chris Meidinger
Tullastrasse 70
79108 Freiburg


-----Ursprüngliche Nachricht-----
Von: David Wallraff [mailto:wall0448 () ece umn edu]
Gesendet: Wednesday, June 25, 2003 5:33 PM
An: Meidinger Christopher
Cc: 'Hilal Hussein'; Security-Basics@Securityfocus. Com (E-Mail)
Betreff: Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue
618


why is it harder to sniff over a switced network?  i understand it's
becasue of the switch (natch), but what makes it more difficult?
dave



On Wed, 25 Jun 2003, Meidinger Christopher wrote:

> Hello Hilal,
>
> Yes, there are many tools that will do that. dsniff, ettercap, ethereal
and
> MANY others will read your password as it goes by on the wire. It is
> slightly more difficult on a switched network, but it can still be done.
>
> You should not use telnet at all, use ssh (www.openssh.org) instead. The
> windows client PuTTY is the most common choice to connect over ssh from
> windows. As far as starting an ssh server on the firewall, you should be
> able to do that in the same way that you started the telnet server.
>
> If you need more exact help, post to the list what type of firewall you
are
> using, and i am certain someone will help you get started.
>
> (Disclaimer: based on your question, you should [IMHO] definately read up
a
> bit on security before configuring a firewall)
>
> badenIT GmbH
> System Support
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg
>
>
> -----Ursprüngliche Nachricht-----
> Von: Hilal Hussein [mailto:hilalma () hotmail com]
> Gesendet: Tuesday, June 24, 2003 10:08 AM
> An: bugtraq () planetcobalt net; security-basics () securityfocus com
> Betreff: Re: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618
>
>
>
>
> Hello All,
>
> i am not sure if i am asking the right question within the same
subject,but
> i am configuring the firewall throught the telnet connecting / from winxp
> workstation.
>
> Is there any possibility for any internal user to use any tools that will
> haijack my telnet password - password for the firewall too!, and what are
> the measurements for securing the telnet session.
>
> with regards,
> Hilal Hussein
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------