Home page logo

basics logo Security Basics mailing list archives

Re: switched n/w
From: Andreas Putzo <andreas () inferno nadir org>
Date: Wed, 8 Dec 2004 09:37:52 +0100


On Tuesday 07 December 2004 19:30, kaushal wrote:
   Iam a bit new to network securities.We have a switched network and to
my knowledge a hosts' data cannot be sniffed by other host by runnning
tcpdump.But Iam receiving complaints from few users that their data is
being changed/manipulated.Is this possible?

Yes, this is possible. One technique to sniff in a switched environment is arp 
poisoning. For example, i make a fake arp entry in the victims arp table, 
suggesting, that i am the victim's gateway. If this is successful, the victim 
will send all data to my machine. While my machine is forwarding the data to 
the correct gateway, i can sniff and even manipulate the data on the fly.

How can I avoid this at the host level?Does this mean the server has
been compromised?Any help or pointer in this aspect would be highly

You can avoid arp attacks with static arp entries (arp -s ).
It's also possible, that some of your hosts has been compromised. You may take 
a look at the machines and/or check the network traffic for unusal arp 
traffic (e.g. with arpwatch).
What kind of data has been manipulated?

hth, Andreas

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]