Re: [PEN-TEST] Spoofing switched networks

[Robert van der Meulen <rvdm () CISTRON NL>]

Hi,

Quoting Salyars, Marty (marty.salyars () AMSC BELVOIR ARMY MIL):
>       Can someone inside a switched NT network spoof a host to get
> unauthorized access to resources.  How easy or hard is it?
Yes. Using tools like 'arpredirect' in combination with 'fragrouter' or the
like, someone can redirect all trafic from a host to other hosts trough
his/her own machine. Spoofing is easy then.
Spoofing inside a switched network is usually no problem at all; sniffing
inside a switched network is. You probably won't even need to 'arpredirect'
to do the spoofing, unless we're talking a switch that knows his stuff.

>       Can someone outside the switched NT network spoof  a host to get
> unauthorized access.  How can they do this?
If your router allows routing of those 'inside' addresses; yes.
Anything that generates spoofed packets will work.

>       Can an individual inside or outside the switched NT network hijack a
> session to get into resources
Session hijacking would need sniffing, unless the sequence numbering is
_very_ straightforward, then it's guessable - but hard to do.
When using 'arpredirect' to direct all traffic trough an 'intermediate
host', session hijacking is quite easy.
'hunt' is a tool that does stuff like that.

>       What tools would the culprit use?
'dsniff' (includes arpredirect), 'hunt', 'fragrouter'.

>       Can the individual spoof  the host using SYN flooding,  sending
> spoofed ARP replies, MAC flooding/ MAC spoofing/MAC duplication.
Spoofing trough syn flooding is not possible ;) - taking out the originator
using synflooding, then spoofing it is.
MAC spoofing is a very real option, if the network card supports changing
its hardware address.

Greets,
        Robert
--
                                Linux Generation