Penetration Testing mailing list archives
Re: [PEN-TEST] Spoofing switched networks
From: Dave Ryan <dave () DEFAULT ORG UK>
Date: Mon, 5 Feb 2001 20:06:12 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quoting Salyars, Marty (marty.salyars () AMSC BELVOIR ARMY MIL):
Can someone inside a switched NT network spoof a host to get unauthorized access to resources. How easy or hard is it?
Hmm in the NT domain model doesnt it require some form of authentication? MS arent that bad that they would rely on a layer 2 mechanism for reducing per segment traffic loads for some sort of security mechanism. Switching is _not_ a method of security (it was never intended to be) so put the idea of switched == secure to the side. There arent all that many mechanisms of restricting access based on MAC addresses (well not implemetned in most cases) due to the dynamic nature of lans in general, static addressing can be an administrative nightmare.
Can an individual inside or outside the switched NT network hijack a session to get into resources
internal yes. external no.
What tools would the culprit use?
lots, dsniff, fragrouter, arpredirect, parasite, hunt.
Can the individual spoof the host using SYN flooding, sending spoofed ARP replies, MAC flooding/ MAC spoofing/MAC duplication.
syn flooding is a method Denial of Service, generally used in this circumstance to keep a host down whislt you masquerade as it, its not spoofing in its own right. spoofed arp replies will cause datagrams destined for whatever mac address you spoofed to be returned to you, if and only if you populate the MAC table (Content Addressable Memory - CAM, on cisco's) quicker than a host normally would. MAC Flooding apparantly causes some switches to fillup their MAC tables and the overflow causes the sdwitched to either (a) die (b) revert to a hub (ie: switching goes bye bye). Ive not been able to reproduce this on catalyst 2900s or 5000s with any of the publicly available tools, mid you i wasnt trying with 24 boxes connected to the switch either. MAC spoofing involves sending arp replies for other hosts etc, its only effective when you correlate with upper layers, if used on its own you are effectively causing a denial of service at layer 2, which is not what you want to do in most scenarios. MAC duplication will mess the mac table up and cause a dos on most switches, remember that the BIA on the card is suppoesed to be universally unique, so devices shouldnt have to contend with this in the real world :) you seem to be a a little confused in certain areas, id suggest that you read the inroductory papers on sans.org http://www.sans.org/infosecFAQ/switchednet/layer2.htm there are a few other papers on sans aswell, after you understand the basics have fun with the dsniff toolset or parasite, both work. This isnt difficult, just get to grips with the basics and then have some fun, on a test network of course :)
Marty Salyars
Regards, Dave. - -- Dave Ryan Default Security http://www.default.org.uk/~dave dave () default org uk GnuPG Key: http://www.default.org.uk/~dave/gpgkey.asc Fingerprint: F418 C882 FF03 82A0 A99A 2720 669C E8C3 44B8 2A0F -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (OpenBSD) Comment: For info see http://www.gnupg.org iD8DBQE6fweyZpzow0S4Kg8RAuDUAKCHUqQiVt5SpDe1da+rXAw+2jVbJACfUvba ge9sPmggIGlx4Aqy7XZ9bdc= =L2vQ -----END PGP SIGNATURE-----
Current thread:
- [PEN-TEST] Spoofing switched networks Salyars, Marty (Feb 04)
- Re: [PEN-TEST] Spoofing switched networks Robert van der Meulen (Feb 04)
- Re: [PEN-TEST] Spoofing switched networks Brian Hartsfield (Feb 05)
- Re: [PEN-TEST] Spoofing switched networks Dave Ryan (Feb 05)
- <Possible follow-ups>
- Re: [PEN-TEST] Spoofing switched networks Chris St. Clair (Feb 04)
- Re: [PEN-TEST] Spoofing switched networks Lindqvist, Johan (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Sam Quigley (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Simon Waters (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Nathan Catlow (Feb 07)
- Re: [PEN-TEST] Spoofing switched networks shawn . moyer (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Sam Quigley (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Robert van der Meulen (Feb 04)
- Re: [PEN-TEST] Spoofing switched networks Eduardo_Campos (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Shoten (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Jason Brvenik (Feb 06)
- Re: [PEN-TEST] Spoofing switched networks Ryan Russell (Feb 06)