Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Layer 3 Sniffing

From: Dave Ryan <dave () DEFAULT ORG UK>
Date: Thu, 28 Sep 2000 23:50:33 +0100
Dave

 +-----------------------------+
| Dave Ryan                     |
| Default Security              |
| http://www.default.org.uk     |
 +-----------------------------+

On Thu, 28 Sep 2000, Justin Funke wrote:


I have been doing some research on sniffing switched networks and I have
a quick question that has presented itself.

Now that the new switches are using Layer 3 switching technology with
ABC (Automatic Broadcast Control) how are you able to forward your
broadcast packet to the other clients to request the traffic you want to
sniff if the switch is stopping the broadcast and answering the request
itself?

you are attacking the switch at L2 thus by passing any of the L3
restrictiveness
that the switches imply.

are number of possibilities exist depending on the switch, some might be
vulnerable to mac_of attacks which basically means over populating the mac
table (or CAM on cisco's - content addressable memory) which would cause
the
switch to stop switching as such and fall into an open state like a hub
which
would allow for normal switchin etc. (2nd) if you have access to the
switch you
could set it into span mode (again on cisco's) which would allow you to
redirect all traffic on a switch to a single port - this is for
admin/monitoring purposes etc.

now the fun way is to use some of the great tools out there, my favourite
being
fragrouter and arpredirect (can i just take this time to say dug song
rocks)
and any sniffer - dsniff etc. At this point its is possible to spoof the
hardware address (by updating the mac states quicker than the real host)
of
your target (in most cases the gateway/router) and keep a static entry of
the
address in your mac table. once the ethernet traffic is being redirected
to you
its simply a matter of setting yourself up as a transparent bridge for
what of
a better statement (its 9:30 and the pub is calling me), at which point
all
traffic is redirected through you and on to the gateway - your friendly
neighbourhood sniffer comes into play here and just captures your intended
traffic etc etc blah blah..you gt the idea, if you dont email me.

rgds,




Or I am missing something here?

Thanks,

Justin Funke



#include <disclaimer.h> //etc
Previous By Date Next
Previous By Thread Next

Current thread: