Security Basics mailing list archives
Re: packet sniffing help needed.
From: Rodrigo Blanco <rodrigo.blanco.r () gmail com>
Date: Thu, 8 Dec 2005 06:14:07 -0600
Hello Mark, IMHO, there are two possible scenarios: 1) LAN ACCESS - You have access to the IP local network where either C1 or C3 are located: in this case, it really does not matter if you are in a hub or switched envirnoment. Hub: sniffing (ethereal and "follow TCP stream" option is just perfect) will do the job. Switch: ARP spoofing and there you are (you can try ettercap, for instance) optionally combined with Ethereal. 2) WAN ACCESS - You do not have a direct access to the IP local network where either C1 or C3 are located. This one is more tricky, and I think you would have to resort to either tapping a router in between (no idea how to do this) or somehow spoof the DNS server that C1 is using to point C1 to your host (or a host you control) - not easy, either. Best regards, Rodrigo. On 12/6/05, Mark Knowles <ghooti () googlemail com> wrote:
Hi all, I have been thinking about packet sniffing and packet capture - it is because of all of those alerts in IE - you know the ones - This page is not encrypted and a 3rd party might be listening. I have been doing some googling and not really found much, but then I am not too sure what I am looking for. This is the setup I want to explore. Comp1(victim1) = Windows xp box, Connected via dial up to a free ISP Comp2(attacker) = windows/*nix, connected via broadband to different ISP than comp1 Comp3(webserver/victim2) C1< ----- > C3 C2---¦ The image above is my attempt at ascii art - I suppose it represents the old style wiretap method. where C1 and C3 communicate unaware that their data is being listened to by C2. C2 has no power to modify the information. Is this sort of sniffing possible? or would it have to be more like C1 < --- > C2 < --- > C3 Which is how i see MITM attacks working. - I suppose this would be akin to having the telephone operator relay the message, or a language interpreter changing the message between clients. I am currently only looking for http data, although i am assuming that I will have to filter that after I have gotten it all. I do not want to mess with the data, I would just like to view it. Would this still count as a MITM attack? I know its all a bit Hollywood, but i am really curious to see what information i am transmitting (non https) - and what those warnings really mean, are they of the McDonald$ coffee "caution contents is hot" type thing? which i have to say is how i view them. I understand how proxies cache and transmit data - are the warnings just about them? Any advice/ideas/whacking with a lart/etc, greatly received :) Thanks, Mark.
Current thread:
- packet sniffing help needed. Mark Knowles (Dec 06)
- Re: packet sniffing help needed. Dale Fay (Dec 07)
- RE: packet sniffing help needed. David Gillett (Dec 07)
- Re: packet sniffing help needed. dallas jordan (Dec 07)
- Re: packet sniffing help needed. Rodrigo Blanco (Dec 09)
- Re: packet sniffing help needed. Mark Knowles (Dec 09)
- <Possible follow-ups>
- RE: packet sniffing help needed. Beauford, Jason (Dec 07)
- Re: packet sniffing help needed. yaoki (Dec 07)
- Re: packet sniffing help needed. ilaiy (Dec 07)