Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sniffing on a switch

From: Cedric Blancher <blancher () cartel-securite fr>
Date: Wed, 02 Nov 2005 09:15:18 +0100
Good morning Volker.

Le mardi 01 novembre 2005 à 10:50 +0100, Volker Tanger a écrit :

If manual MAC/port mapping takes precedence over cache (which is
implementation dependant) - why not?
If port security disables the port (the attacker/flooder's one) as soon
as more than one MAC address is being announced there - why not?


ARP cache poisoning will still work because when your ARP cache poison
someone, you actually don't change your MAC address at all... And as you
don't change the port you're plugged in, you also don't change your
_MAC/port_ mapping. The thing you're changing when ARP cache poisoning
is some station's _MAC/IP_ on the target's cache.
Let's say Joker want to ARP cache poison Batman, pretending being Robin.
He will send Batman ARP requests/answers associating _his_ MAC address
to Robin's _IP_, and thus, does not alter his MAC address so he's
transparent to any MAC/port mapping.

You can see http://sid.rstack.org/arp-sk/ for further details on ARP
cache poisoning. There's an abstract of a longer article, written in
french, that can be found at :

http://sid.rstack.org/arp-sk/article/arp.html

This is a link to a rough FR-EN automatic translation :

http://trans.voila.fr/voila?systran_lp=fr_en&systran_id=Voila-fr&systran_url=http://sid.rstack.org/arp-sk/article/arp.html&systran_f=1130919124


Moreover, port/MAC mapping are only checked on ethernet header, but ARP
cache poisoning occurs in upper layer, in ARP packets. As an example,
you can try to poison a host ARP cache for MAC adresses that does not
belong to you or does not even exist. It just works, because ethernet
header remains consistent in regard to switch port/MAC mapping. You can
check ethernet header for ARP packets in the article. Source MAC is
always the attacking host one.


To quickly reach my point, port security, as a layer 2 mecanism, is
_useless_ against ARP cache poisoning. This can be found in some
articles/guides, but it is just wrong.

To fight ARP cache poisoning, you need to check MAC/IP mappings :

        . using ARP traffic monitoring software such as arpwatch (or
          dedicated IDS modules)
        . using static ARP cache on hosts
        . using switches that can provide MAC/IP mappings (usually layer
          3 switches)


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: