Re: DNS cache poisoning and pharming

[Tom Van de Wiele <tom.vandewiele () gmail com>]

Keeping in mind that for all of this you will need to be on the same
segment as your target(s) which begs the question: how was this person
able to connect to the LAN in the first place.  If someone can connect
to your LAN, the jig is up.

Unless you're using some form of 802.1x technology, layer 2 is and
stays the weakest link.  Imagine the damage if a workstation connected
to a LAN segment and claims himself as the first node in the STP
branch.

Someone who keeps an eye on his switches and has SNMP traps configured
can easily see the ARP storm you're generating using Ettercap or
dsniff.  The only thing you need is a dhcpd running on the attackers
machine.  A new client broadcasts its DHCP request, you answer and
deliver the IP address of the DNS server the victim has to use, you
enable IP forwarding to make it a full monkey-in-the-middle if you
want to and nobody will detect a thing.

Bottom line for me: if the attacker was able to connect to the LAN,
you either have a weak policy towards network connectivity, vulnerable
communication lines or a CSO and/or security administrator(s) who
aren't doing their job.

Tom


Tom Van de Wiele
Security Consultant, CISSP

UNISKILL nv
Bilksken 36B
9920 Lovendegem
Belgium
http://www.uniskill.com
tom.van.de.wiele (AT) uniskill.com



On 5/31/05, Times Enemy <times () krr org> wrote:
> Greetings.
>
> http://ettercap.sourceforge.net/
>
> Using Ettercap, DNS poisoning is only a matter of modifying a text file,
> and firing up the app..
>
> As for pharming, most sniffers can be used for this, though on a
> switched network some extra work may be required.  Again, ettercap can
> handle the switched networks.
>
> If a network has effective IDS/IPS, and is actively monitoring for ARP
> anomalies and such, then that network _may_ discover an instance of
> ettercap running on it.  Ettercap also can search for other instances of
> ettercap, amongst a whole lot of other things.  I highly suggest you
> check it out.
>
> This would be a wee bit more difficult to do against a remote ISP.
>
>
> .times enemy
>
>
> David wrote:
>
> > http://hostsearch.com/news/logiguard_news_3177.asp
> >
> > This article makes a claim that DNS poisoning and pharming are really
> > dangerous in that anyone can be redirected from trying to go to their
> > online bank to a fake bank site where there login is collected. Is this
> > really such a threat or is it just Logiguard advertising themselves?
> >
> > Thanks,
> >
> > Dave