Firewall Wizards mailing list archives
RE: What's the deal with SSH? (was: PIX software release 5.2)
From: "Barry Dykes" <barry () onesec net>
Date: Mon, 2 Oct 2000 15:24:39 -0500
To be more specific, an Ethernet switch learns it's forwarding tree based on the source MAC address of incoming packets. A switch will also use the last learned location of a MAC address. In other words, if you know the MAC of the machine that you wish to receive traffic for, you just send an Ethernet frame anywhere with that same MAC address as the source address. The switch will then forward all traffic destined to that MAC out to the new port (you). Also, according to the RFC (826 I think), all hosts must update their ARP caches with the last known ARP update. This means that simply sending an ARP packet out with the same IP address and different MAC should make the router (layer 3) device then send traffic to the new MAC address as well as all other hosts who heard the ARP broadcast! Some boxes don't conform to the RFC - but they are supposed to. So, there are two simple methods to get traffic in an Ethernet environment at the least. Never trust a protocol that was based broadcast discovery ;-) Barry
-----Original Message----- From: firewall-wizards-admin () nfr net [mailto:firewall-wizards-admin () nfr net]On Behalf Of Michael H. Warfield Sent: Sunday, October 01, 2000 10:41 AM To: John Adams Cc: sean.kelly () lanston com; shewitt () cdw com; firewall-wizards () nfr net Subject: Re: [fw-wiz] What's the deal with SSH? (was: PIX software release 5.2) On Tue, Sep 26, 2000 at 01:54:55PM -0400, John Adams wrote:On Mon, 25 Sep 2000 sean.kelly () lanston com wrote:As other people have noted, don't mistake switching for some sortof networksecurity panacea. And you should certainly be concerned if you're using telnet to connect to locations you'd prefer be kept off-limits. All it takes to grab a username/password is have a box in a position to pick up traffic with its ethernet card set in promiscuous mode.Although I'm not putting 100% faith in the security of switched networks, if my switch has not been compromised, and no SPAN ports are available, how is it possible to pull packets off the network? I can think of some ways to do it by forging ISL or trunk protocols, but nothing that can be easily accomplished by an attacker from the outside in.It's called arp cache poisoning. You just convince the target boxes that you are the other MAC access for those IP addresses. You can then forward the packets after sniffing. This can be done with gratuatous arp reply packets targeted specifically at the chump^H^H^H^H^H victim systems. Reliable? No. Doesn't have to be. Easy? No. Doesn't have to be. Available? Yes... Unfortunately. Time and probability any you'll snag something.This is more of a "how can it be compromised" question than a "I'm going to do this tomorrow" configuration issue.-j-- J. Adams http://www.retina.net/~jna You are supposed to be a consumer, a black hole for goods, advertising and content. They only want to allocate enough upstream bandwidth for 10,000,000 buy buttons. Producing or sharing information is a subversive act and will not be tolerated. -anonymous coward on /.Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards --------------------------------------------------------------------- To unsubscribe, e-mail: firewall-wizards-unsubscribe () onesec net For additional commands, e-mail: firewall-wizards-help () onesec net
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: What's the deal with SSH? (was: PIX software release 5.2) John Adams (Oct 01)
- Re: What's the deal with SSH? (was: PIX software release 5.2) Luca Berra (Oct 01)
- Re: What's the deal with SSH? (was: PIX software release 5.2) Michael H. Warfield (Oct 01)
- RE: What's the deal with SSH? (was: PIX software release 5.2) Barry Dykes (Oct 03)