mailing list archives
Re: switched n/w
From: kaushal <kaushal () rocsys com>
Date: Wed, 08 Dec 2004 16:04:13 +0530
Thankyou all for the sources and info.
That was very useful.
On Wed, 2004-12-08 at 14:34, miguel.dilaj () pharma novartis com wrote:
It's highly possible to sniff in switched networks (except in some
particularly paranoid switch configurations) using a technique named "ARP
poisoning" or "ARP spoofing".
Basically the idea on how a switch operates is by constructing a table of
IP address vs MAC address, and sending the arriving packets to the NIC
with the corresponding MAC address.
If you can "poison" that table with fake data, telling the switch that
YOUR machine has ALL the MAC addresses (or any or them at your pleasure)
you can fool the switch into directing the traffic to your host. Then you
can sniff/intercept/modify it, and forward it later to the proper host.
The technique is described in the documentation of Arp0c by Phenoelit
that, by the way, is a tool to do ARP spoofing (the successful sucessor of
Arp0c can be found at Phenoelit's site: http://www.phenoelit.de/arpoc/
If you look for "ARP spoofing" you'll find plenty of resources,
information and tools on this subject.
Instead of trying to avoid it at the host level, try to address it at the
network level, because at the end it is a network issue.
Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
kaushal <kaushal () rocsys com>
To: security-basics () securityfocus com
cc: (bcc: Miguel Dilaj/PH/Novartis)
Subject: switched n/w
Iam a bit new to network securities.We have a switched network and to
my knowledge a hosts' data cannot be sniffed by other host by runnning
tcpdump.But Iam receiving complaints from few users that their data is
being changed/manipulated.Is this possible?
How can I avoid this at the host level?Does this mean the server has
been compromised?Any help or pointer in this aspect would be highly
thanks in advance.
- Re: switched n/w, (continued)