Penetration Testing mailing list archives
RE: Sniffing on a switch
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 31 Oct 2005 13:52:10 -0600
So in summary: 1. Read the post below (great summary). 2. Use dsniff, Ettercap (still under active development, unlike dsniff), or Cain & Able (runs on windows) to execute arp-cache poisoning or mac-spoofing attacks. 3. Most vendors support a function as mentioned below, usually called a /span or /mirror port, that you can use to span a switch port, vlan, or even the entire traffic of a switch backplane. -ae
-----Original Message----- From: Volker Tanger [mailto:vtlists () wyae de] Sent: Saturday, October 29, 2005 5:48 AM To: pen-test () securityfocus com Subject: Re: Sniffing on a switch Greetings! On Thu, 27 Oct 2005 19:55:04 -0700 "Andy Meyers" <andy.meyers () hushmail com> wrote:Now i know people say you "cant" sniff on a switch and I know about ARP poisoning and MAC flooding. But there has to be another way. I have heard too many stories about "he sniffed my AIMconversation on aCisco switch" (an example is in the most recent version of2600). Doesanyone know of any technique how to do this? Can you ARP poison a switch?On many managable (enterprise) switches often have a sniffing/mirror port where you can configure from which switch port(s) you want all traffic to be mirrored to this mirror port. And yes, all unprotected switches can be subjected to ARP poisoning. But (again) many manageable switches can be configured with preventive measures: - static/manual MAC/port mapping - automatic one-time MAC/port config: the very first MAC/port combination seen is taken as semi-static entry, all others are dropped. - limiting number of MAC addresses per port allowed (which helps against rogue switches and router, too) For all you need the help of the switch admins. So no help if you want to guard yourself against "evil" switchmasters... ;-) Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Sniffing on a switch, (continued)
- Re: Sniffing on a switch Goran Sevic (Oct 29)
- Re: Sniffing on a switch Volker Tanger (Oct 29)
- Re: Sniffing on a switch Cedric Blancher (Oct 31)
- Re: Sniffing on a switch jgervacio (Oct 31)
- Re: Sniffing on a switch Chris Mills (Oct 29)
- Re: Sniffing on a switch Stephen J. Smoogen (Oct 29)
- Re: Sniffing on a switch Dave Bush (Oct 29)
- Re: Sniffing on a switch ilaiy (Oct 29)
- Re: Sniffing on a switch Mikael Kuisma (Oct 31)
- RE: Sniffing on a switch Smith, Michael J. (Oct 29)
- RE: Sniffing on a switch Evans, Arian (Oct 31)
- RE: Sniffing on a switch Todd Towles (Oct 31)