Penetration Testing mailing list archives

Re: Arp spoofing & dsniff

From: kumar mahadevan <kumar_mahadevan_6 () yahoo ca>
Date: Mon, 6 May 2002 16:24:33 -0400 (EDT)


thanks for the reply.

I am new to this so purely going by the theory on
SANS.
http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm

Which says, that there are 3 ways to sniff on swicthed
networks.

    1. ARP spoofing.
    2. MAC flooding.
    3. MAC Duplicating.

number 2 is not an option.
number 1 is ok except I did not want risk breaking
Network connectivity even after enabling IP
Forwarding.

numer 3 is "supposed to be the easiest" since one just
changes to the NIC. Also according to this article
there is no need to ARP Spoof, if using MAC
Duplicating.

----->    Hence, back to the original question:
Even though your answer makes sense as well (although
the victim computer has lost NO connectivity yet. The
victim whose MAC address I have duplicated on my RH 7
box has full network connectivity, still)

----->    how do I now get Telnet sessions originating
from the victim to destination servers:23
    

thanks again 

kumar.


--- Ryan Russell <ryan () securityfocus com> wrote:

On Mon, 6 May 2002, kumar mahadevan wrote:

If I am on a Switched network and I change my MAC
address on my RH 7 box to the victim's (using
IFCONFIG). Now, how do I capture say for e.g

Telnet

sessions between the victim and a server running
telnet service.


If you change your MAC address to be that of the
victim (the box in the
same broadcast domain as your attacking machine)
then you will be fighting
the victim for control of the MAC address in the
switch.  The switch will
alternately think that that MAC address is in one
port, then another, as
frames come in with that as a source address.  In
general, you'll just
make the victim unable to communicate, and yuo won't
be able to monitor
most of the traffic.


I don't want to ARP cache poison  nor MAC flood

the

switch.


Then your best bet is to poison the ARP cache on the
victim, to make it
think you're the other box, or the router. 
Configure your box to forward
the packets so you don't break the communications.


                                      Ryan



______________________________________________________________________ 
Games, Movies, Music & Sports! http://entertainment.yahoo.ca

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Arp spoofing & dsniff Vs Metal (May 05)
- Re: Arp spoofing & dsniff Michael Thumann (May 05)
- Re: Arp spoofing & dsniff Daniel Polombo (May 06)
  - Re: Arp spoofing & dsniff kumar mahadevan (May 06)
    - Re: Arp spoofing & dsniff Ryan Russell (May 06)
    - Re: Arp spoofing & dsniff kumar mahadevan (May 06)
    - Re: Arp spoofing & dsniff Ryan Russell (May 06)
    - Re: Arp spoofing & dsniff Sumit Dhar (May 07)
  - Re: Arp spoofing & dsniff Sumit Dhar (May 06)
  - Re: Arp spoofing & dsniff The D (May 10)
- Re: Arp spoofing & dsniff Iván Arce (May 09)
- <Possible follow-ups>
- Re: Arp spoofing & dsniff Sumit Dhar (May 07)
  - Re: Arp spoofing & dsniff jsyn (May 09)
  - Re: Arp spoofing & dsniff woof (May 13)
- Re: Arp spoofing & dsniff miguel . dilaj (May 09)
  - Re: Arp spoofing & dsniff Arturo "Buanzo" Busleiman (May 10)

(Thread continues...)