Penetration Testing mailing list archives
Re: Arp spoofing & dsniff
From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 May 2002 15:21:45 -0600 (MDT)
On Mon, 6 May 2002, kumar mahadevan wrote:
1. ARP spoofing. 2. MAC flooding. 3. MAC Duplicating. number 2 is not an option. number 1 is ok except I did not want risk breaking Network connectivity even after enabling IP Forwarding.
You take just about as much chance of breaking connectivity with number 3 as you do with number 1, it depends on the switch. BTW, do you know what brand of switch you're dealing with? Software rev?
numer 3 is "supposed to be the easiest" since one just changes to the NIC. Also according to this article there is no need to ARP Spoof, if using MAC Duplicating. -----> Hence, back to the original question: Even though your answer makes sense as well (although the victim computer has lost NO connectivity yet. The victim whose MAC address I have duplicated on my RH 7 box has full network connectivity, still)
When you duplicate someone's MAC address, you're essentially trying to fool the switch into thinking that you're the machine you're trying to monitor, and get the switch to forward the traffic to you. Some switched only allow a MAC address to be on one port (or sometimes one port within a VLAN.) If that's the case, then you will get your victim's traffic, and it won't. Some switches will send the traffic to both places (the only real situation where this will work the way you want.) Keep in mind that for a switch to even begin to think that the machine has changed ports, you must transmit something with that MAC address as the layer 2 source address. ARPs would be fine, but it can be anything. So, to try this out, you have to change your MAC AND start transmitting. But, you should plan on the victim being cut off unless you've been able to determine how your switch will react. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Arp spoofing & dsniff Vs Metal (May 05)
- Re: Arp spoofing & dsniff Michael Thumann (May 05)
- Re: Arp spoofing & dsniff Daniel Polombo (May 06)
- Re: Arp spoofing & dsniff kumar mahadevan (May 06)
- Re: Arp spoofing & dsniff Ryan Russell (May 06)
- Re: Arp spoofing & dsniff kumar mahadevan (May 06)
- Re: Arp spoofing & dsniff Ryan Russell (May 06)
- Re: Arp spoofing & dsniff Sumit Dhar (May 07)
- Re: Arp spoofing & dsniff kumar mahadevan (May 06)
- Re: Arp spoofing & dsniff Sumit Dhar (May 06)
- Re: Arp spoofing & dsniff The D (May 10)
- <Possible follow-ups>
- Re: Arp spoofing & dsniff Sumit Dhar (May 07)
- Re: Arp spoofing & dsniff jsyn (May 09)
- Re: Arp spoofing & dsniff woof (May 13)
- Re: Arp spoofing & dsniff miguel . dilaj (May 09)
- Re: Arp spoofing & dsniff Arturo "Buanzo" Busleiman (May 10)
- Re: Arp spoofing & dsniff Sumit Dhar (May 13)
- Re: Arp spoofing & dsniff Arturo "Buanzo" Busleiman (May 10)