Re: [PEN-TEST] Spoofing switched networks

[Dave Ryan <dave () DEFAULT ORG UK>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Salyars, Marty (marty.salyars () AMSC BELVOIR ARMY MIL):
>       Can someone inside a switched NT network spoof a host to get
> unauthorized access to resources.  How easy or hard is it?

Hmm in the NT domain model doesnt it require some form of authentication? MS arent that bad that they would rely on a 
layer 2 mechanism for reducing per segment traffic loads for some sort of security mechanism. Switching is _not_ a 
method of security (it was never intended to be) so put the idea of switched == secure to the side.

There arent all that many mechanisms of restricting access based on MAC addresses (well not implemetned in most cases) 
due to the dynamic nature of lans in general, static addressing can be an administrative nightmare.

>       Can an individual inside or outside the switched NT network hijack a
> session to get into resources
internal yes.
external no.
>       What tools would the culprit use?
lots,

dsniff, fragrouter, arpredirect, parasite, hunt.
>       Can the individual spoof  the host using SYN flooding,  sending
> spoofed ARP replies, MAC flooding/ MAC spoofing/MAC duplication.
syn flooding is a method Denial of Service, generally used in this circumstance to keep a host down whislt you 
masquerade as it, its not spoofing in its own right.

spoofed arp replies will cause datagrams destined for whatever mac address you spoofed to be returned to you, if and 
only if you populate the MAC table (Content Addressable Memory - CAM, on cisco's) quicker than a host normally would.

MAC Flooding apparantly causes some switches to fillup their MAC tables and the overflow causes the sdwitched to either 
(a) die (b) revert to a hub (ie: switching goes bye bye). Ive not been able to reproduce this on catalyst 2900s or 
5000s with any of the publicly available tools, mid you i wasnt trying with 24 boxes connected to the switch either.

MAC spoofing involves sending arp replies for other hosts etc, its only effective when you correlate with upper layers, 
if used on its own you are effectively causing a denial of service at layer 2, which is not what you want to do in most 
scenarios.

MAC duplication will mess the mac table up and cause a dos on most switches, remember that the BIA on the card is 
suppoesed to be universally unique, so devices shouldnt have to contend with this in the real world :)

you seem to be a a little confused in certain areas, id suggest that you read the inroductory papers on sans.org

http://www.sans.org/infosecFAQ/switchednet/layer2.htm

there are a few other papers on sans aswell, after you understand the basics have fun with the dsniff toolset or 
parasite, both work. This isnt difficult, just get to grips with the basics and then have some fun, on a test network 
of course :)
>       Marty Salyars

Regards,
Dave.

- --
Dave Ryan                               Default Security
http://www.default.org.uk/~dave         dave () default org uk

GnuPG Key:      http://www.default.org.uk/~dave/gpgkey.asc
Fingerprint:    F418 C882 FF03 82A0 A99A  2720 669C E8C3 44B8 2A0F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6fweyZpzow0S4Kg8RAuDUAKCHUqQiVt5SpDe1da+rXAw+2jVbJACfUvba
ge9sPmggIGlx4Aqy7XZ9bdc=
=L2vQ
-----END PGP SIGNATURE-----