Full Disclosure mailing list archives
RE: RE: info on ip spoofing please
From: "Ian stuart Turnbull" <ian.t7 () hotmail co uk>
Date: Wed, 12 Apr 2006 17:00:14 +0100
packet sniffs ____on link between the two end points____, and can therefore pretendAh! Thanks for making that a bit more obvious Neil - much appreciated. Think I might have to go back to school as this happens to me on occasion - misreading I mean. It is abundantly clear to me now. Good stuff.
And the extra information is also gratefully acknowledged - cheers for that.
From: "Neil Davis" <rg.viza () gmail com> To: full-disclosure () lists grok org uk Subject: [Full-disclosure] RE: info on ip spoofing please Date: Wed, 12 Apr 2006 11:42:25 -0400 MIME-Version: 1.0Received: from lists.grok.org.uk ([195.184.125.51]) by bay0-pamc1-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 12 Apr 2006 08:43:43 -0700 Received: from lists.grok.org.uk (localhost [127.0.0.1])by lists.grok.org.uk (Postfix) with ESMTP id AE80E7DD;Wed, 12 Apr 2006 16:42:49 +0100 (BST) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.229])by lists.grok.org.uk (Postfix) with ESMTP id A7B0B677for <full-disclosure () lists grok org uk>;Wed, 12 Apr 2006 16:42:27 +0100 (BST) Received: by wproxy.gmail.com with SMTP id i32so1384576wrafor <full-disclosure () lists grok org uk>;Wed, 12 Apr 2006 08:42:25 -0700 (PDT) Received: by 10.65.219.8 with SMTP id w8mr387592qbq;Wed, 12 Apr 2006 08:42:25 -0700 (PDT)Received: by 10.64.47.12 with HTTP; Wed, 12 Apr 2006 08:42:25 -0700 (PDT) X-Message-Info: JGTYoYF78jFkGiOJ/qwyB8exkh6rat0d4W1M0LUp3MU= X-Original-To: full-disclosure () lists grok org uk Delivered-To: full-disclosure () lists grok org ukDomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;b=lkbk9PFqymmlV3VIdGq0dz8JzRKdS8LSspZLP9F3EMcECrloeraDHaY6R5bQBnc/RGK884eWdDz1B/5bxgkvVvBBCejnpghWI2AYmnOr/f6FW4lckeDRwo3gGimqs392UjxNtqxcMBn3MJeKfsfZC4gBK9bBsQZajVV7VCFSkXw=X-BeenThere: full-disclosure () lists grok org uk X-Mailman-Version: 2.1.5 Precedence: listList-Id: An unmoderated mailing list for the discussion of security issues<full-disclosure.lists.grok.org.uk> List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists grok org uk?subject=unsubscribe>List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> List-Post: <mailto:full-disclosure () lists grok org uk> List-Help: <mailto:full-disclosure-request () lists grok org uk?subject=help>List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists grok org uk?subject=subscribe>Errors-To: full-disclosure-bounces () lists grok org uk Return-Path: full-disclosure-bounces () lists grok org ukX-OriginalArrivalTime: 12 Apr 2006 15:43:44.0315 (UTC) FILETIME=[E15AC8B0:01C65E47]> Hello all, > At> http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Spoofing/default.htm> > was this comment :- > > QUOTE " > Examples of spoofing: > > man-in-the-middle> packet sniffs on link between the two end points, and can therefore pretend> to be one end of the connection " >> My question is How can you sniff packets on a link that your machine is NOT> on ie NOT on the same subnet?? > > Why am I at a loss to understand this. Is there a command/software that > allows one to > say: sniff packets on port x of IP xxx.xxx.xxx.xxx ? > > Please put me out of my agony on this. > Thanks for any info you can give. > > > Ian t I think you misread the information, this part of it to be exact: Examples of spoofing: man-in-the-middle packet sniffs ____on link between the two end points____, and can therefore pretend to be one end of the connection " The answer to your question is you can't. You can only do this on a machine that the traffic is flowing through. Hence the name, "man-in-the-middle". You need to comprimise a machine between the endpoints, such as a firewall, router, or proxy, or one of the endpoints themselves so you can sourceroute through a machine of your choosing (though if you have comprimised an endpoint, this isn't necessary). You then run ettercap, and can even read their SSL/SSH conversations and change data. man-in-the-middle is a wicked attack. It's also fairly difficult to get there, if the machines concerned are patched, up to date, and securely configured, as so often they are not. On ms proxy server, all you need to do is comprimise the proxy server. The session ID's, if on query string, are logged, even when they are via ssl, you can easily hijack a session that way, simply by looking at the proxy log's recent entries, in a lot of cases (note: I am not sure if ms proxy server does this on more recent versions, and I am sure it's possible to turn this logging off). No packet analysis necessary. -Viz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://join.msn.com/messenger/overview
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: info on ip spoofing please, (continued)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Brian Eaton (Apr 11)
- Re: info on ip spoofing please Brandon Enright (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Valdis . Kletnieks (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Brandon Enright (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- Re: info on ip spoofing please Ian stuart Turnbull (Apr 11)
- RE: RE: info on ip spoofing please Ian stuart Turnbull (Apr 12)
- RE: RE: info on ip spoofing please Ian stuart Turnbull (Apr 12)