Home page logo

basics logo Security Basics mailing list archives

RE: switched n/w
From: Chris Cirullo <c_cirullo () sbcglobal net>
Date: Thu, 9 Dec 2004 10:06:12 -0800 (PST)

It is possible for an attacker to sniff and even
modify transmissions on a switched network.  This can
be done through a man in the middle attack which is
accomplished by poisoning the transmitting machine's
arp cache(arp redirect...).  Ethernet transmissions
must have a source IP/MAC and a Destination IP/MAC. 
When your machine wants to transmit to a machine with
a given IP address it needs to know the destination
machine's MAC address.  It either has this in its ARP
cache or it needs to do an ARP request.  What the
attacker needs to do is trick the sending machine into
using the attacker's MAC address when it fills in the
destination MAC field of the ethernet header.  If this
happens it does not matter what the destination IP
address is.  All packets will be SWITCHED to the
attacker's machine because ethernet switches operate
strictly on MAC addresses and do not examine IP
addresses.  After the attacker receives the packets
she can read/modify the data and forward them to the
actual desired recipient.  In this fashion the
attacker plays man in the middle and does just about
anything they want to the data.  There are tools to
help an attacker do this.  What you need to do is look
at the arp tables on the switch and the arp cache of
the sending machine.  Do a little sniffing.  When the
sending machine transmits, does the destination MAC
address match the MAC address of the machine it is
trying to send to?  If not you have a problem.  Check
out a tool called arpwatch to help you notice arp
spoofing on your network.

--- Rishi Pande <rpande () vt edu> wrote:

I am by no means any kind of a security expert. But
there is a remarkable
difference between sniffing on a network and
actually manipulating the
packets that are received the user. 
Also, the switched environment sniffing issue is one
I have seen mentioned
several times. Here's a link that may help you some

In addition, you may just have a bad switch
(hardware issue related) Also,
is there any kind of evidence that this is being
done in your internal
network and not outside your network? That may be an
issue you want to

Good luck!

-----Original Message-----
From: kaushal [mailto:kaushal () rocsys com] 
Sent: Tuesday, December 07, 2004 1:30 PM
To: security-basics () securityfocus com
Subject: switched n/w

   Iam a bit new to network securities.We have a
switched network and to
my knowledge a hosts' data cannot be sniffed by
other host by runnning
tcpdump.But Iam receiving complaints from few users
that their data is
being changed/manipulated.Is this possible?
How can I avoid this at the host level?Does this
mean the server has
been compromised?Any help or pointer in this aspect
would be highly

thanks in advance.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]