Penetration Testing mailing list archives
Re: Sniffing on a switch
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Wed, 02 Nov 2005 09:15:18 +0100
Good morning Volker. Le mardi 01 novembre 2005 à 10:50 +0100, Volker Tanger a écrit :
If manual MAC/port mapping takes precedence over cache (which is implementation dependant) - why not? If port security disables the port (the attacker/flooder's one) as soon as more than one MAC address is being announced there - why not?
ARP cache poisoning will still work because when your ARP cache poison someone, you actually don't change your MAC address at all... And as you don't change the port you're plugged in, you also don't change your _MAC/port_ mapping. The thing you're changing when ARP cache poisoning is some station's _MAC/IP_ on the target's cache. Let's say Joker want to ARP cache poison Batman, pretending being Robin. He will send Batman ARP requests/answers associating _his_ MAC address to Robin's _IP_, and thus, does not alter his MAC address so he's transparent to any MAC/port mapping. You can see http://sid.rstack.org/arp-sk/ for further details on ARP cache poisoning. There's an abstract of a longer article, written in french, that can be found at : http://sid.rstack.org/arp-sk/article/arp.html This is a link to a rough FR-EN automatic translation : http://trans.voila.fr/voila?systran_lp=fr_en&systran_id=Voila-fr&systran_url=http://sid.rstack.org/arp-sk/article/arp.html&systran_f=1130919124 Moreover, port/MAC mapping are only checked on ethernet header, but ARP cache poisoning occurs in upper layer, in ARP packets. As an example, you can try to poison a host ARP cache for MAC adresses that does not belong to you or does not even exist. It just works, because ethernet header remains consistent in regard to switch port/MAC mapping. You can check ethernet header for ARP packets in the article. Source MAC is always the attacking host one. To quickly reach my point, port security, as a layer 2 mecanism, is _useless_ against ARP cache poisoning. This can be found in some articles/guides, but it is just wrong. To fight ARP cache poisoning, you need to check MAC/IP mappings : . using ARP traffic monitoring software such as arpwatch (or dedicated IDS modules) . using static ARP cache on hosts . using switches that can provide MAC/IP mappings (usually layer 3 switches) -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Sniffing on a switch Volker Tanger (Nov 01)
- Re: Sniffing on a switch Cedric Blancher (Nov 03)
- Re: Sniffing on a switch Volker Tanger (Nov 03)
- <Possible follow-ups>
- Re: Sniffing on a switch DMORROW5 (Nov 04)
- Re: Sniffing on a switch Cedric Blancher (Nov 03)