RE: Sniffing on a switch

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

So in summary:

1. Read the post below (great summary).

2. Use dsniff, Ettercap (still under active
development, unlike dsniff), or Cain & Able
(runs on windows) to execute arp-cache poisoning
or mac-spoofing attacks.

3. Most vendors support a function as mentioned
below, usually called a /span or /mirror port,
that you can use to span a switch port, vlan,
or even the entire traffic of a switch backplane.

-ae


> -----Original Message-----
> From: Volker Tanger [mailto:vtlists () wyae de] 
> Sent: Saturday, October 29, 2005 5:48 AM
> To: pen-test () securityfocus com
> Subject: Re: Sniffing on a switch
>
>
> Greetings!
>
> On Thu, 27 Oct 2005 19:55:04 -0700
> "Andy Meyers" <andy.meyers () hushmail com> wrote:
>
> > Now i know people say you "cant" sniff on a switch and I know about
> > ARP poisoning and MAC flooding. But there has to be another way. I
> > have heard too many stories about "he sniffed my AIM 
> conversation on a
> > Cisco switch" (an example is in the most recent version of 
> 2600). Does
> > anyone know of any technique how to do this? Can you ARP poison a
> > switch?
>
> On many managable (enterprise) switches often have a sniffing/mirror
> port where you can configure from which switch port(s) you want all
> traffic to be mirrored to this mirror port.
>
> And yes, all unprotected switches can be subjected to ARP 
> poisoning. But
> (again) many manageable switches can be configured with preventive
> measures:
>
> - static/manual MAC/port mapping
>
> - automatic one-time MAC/port config: the very first MAC/port
>   combination seen is taken as semi-static entry, all others 
> are dropped.
>
> - limiting number of MAC addresses per port allowed
>   (which helps against rogue switches and router, too)
>
> For all you need the help of the switch admins. So no help if you want
> to guard yourself against "evil" switchmasters...   ;-)
>
> Bye
>
> Volker
>
>
> -- 
>
> Volker Tanger    http://www.wyae.de/volker.tanger/
> --------------------------------------------------
> vtlists () wyae de                    PGP Fingerprint
> 378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking 
> applications on your 
> website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are 
> futile against web application hacking. Check your website 
> for vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks 
> before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------