Security Basics mailing list archives
Re: DNS cache poisoning and pharming
From: Tom Van de Wiele <tom.vandewiele () gmail com>
Date: Mon, 6 Jun 2005 13:43:42 +0200
Keeping in mind that for all of this you will need to be on the same segment as your target(s) which begs the question: how was this person able to connect to the LAN in the first place. If someone can connect to your LAN, the jig is up. Unless you're using some form of 802.1x technology, layer 2 is and stays the weakest link. Imagine the damage if a workstation connected to a LAN segment and claims himself as the first node in the STP branch. Someone who keeps an eye on his switches and has SNMP traps configured can easily see the ARP storm you're generating using Ettercap or dsniff. The only thing you need is a dhcpd running on the attackers machine. A new client broadcasts its DHCP request, you answer and deliver the IP address of the DNS server the victim has to use, you enable IP forwarding to make it a full monkey-in-the-middle if you want to and nobody will detect a thing. Bottom line for me: if the attacker was able to connect to the LAN, you either have a weak policy towards network connectivity, vulnerable communication lines or a CSO and/or security administrator(s) who aren't doing their job. Tom Tom Van de Wiele Security Consultant, CISSP UNISKILL nv Bilksken 36B 9920 Lovendegem Belgium http://www.uniskill.com tom.van.de.wiele (AT) uniskill.com On 5/31/05, Times Enemy <times () krr org> wrote:
Greetings. http://ettercap.sourceforge.net/ Using Ettercap, DNS poisoning is only a matter of modifying a text file, and firing up the app.. As for pharming, most sniffers can be used for this, though on a switched network some extra work may be required. Again, ettercap can handle the switched networks. If a network has effective IDS/IPS, and is actively monitoring for ARP anomalies and such, then that network _may_ discover an instance of ettercap running on it. Ettercap also can search for other instances of ettercap, amongst a whole lot of other things. I highly suggest you check it out. This would be a wee bit more difficult to do against a remote ISP. .times enemy David wrote:http://hostsearch.com/news/logiguard_news_3177.asp This article makes a claim that DNS poisoning and pharming are really dangerous in that anyone can be redirected from trying to go to their online bank to a fake bank site where there login is collected. Is this really such a threat or is it just Logiguard advertising themselves? Thanks, Dave
Current thread:
- Re: DNS cache poisoning and pharming Times Enemy (Jun 01)
- Re: DNS cache poisoning and pharming Tom Van de Wiele (Jun 06)
- <Possible follow-ups>
- Re: RE: DNS cache poisoning and pharming daswani (Jun 09)
- RE: RE: DNS cache poisoning and pharming Joe George (Jun 09)
- RE: RE: DNS cache poisoning and pharming Sadler, Connie (Jun 09)