Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: DNS cache poisoning and pharming

Re: DNS cache poisoning and pharming

From: Tom Van de Wiele <tom.vandewiele_at_gmail.com>
Date: Mon, 6 Jun 2005 13:43:42 +0200

Keeping in mind that for all of this you will need to be on the same
segment as your target(s) which begs the question: how was this person
able to connect to the LAN in the first place. If someone can connect
to your LAN, the jig is up.

Unless you're using some form of 802.1x technology, layer 2 is and
stays the weakest link. Imagine the damage if a workstation connected
to a LAN segment and claims himself as the first node in the STP
branch.

Someone who keeps an eye on his switches and has SNMP traps configured
can easily see the ARP storm you're generating using Ettercap or
dsniff. The only thing you need is a dhcpd running on the attackers
machine. A new client broadcasts its DHCP request, you answer and
deliver the IP address of the DNS server the victim has to use, you
enable IP forwarding to make it a full monkey-in-the-middle if you
want to and nobody will detect a thing.

Bottom line for me: if the attacker was able to connect to the LAN,
you either have a weak policy towards network connectivity, vulnerable
communication lines or a CSO and/or security administrator(s) who
aren't doing their job.

Tom

Tom Van de Wiele
Security Consultant, CISSP

UNISKILL nv
Bilksken 36B
9920 Lovendegem
Belgium
http://www.uniskill.com
tom.van.de.wiele (AT) uniskill.com

On 5/31/05, Times Enemy <times_at_krr.org> wrote:
> Greetings.
>
> http://ettercap.sourceforge.net/
>
> Using Ettercap, DNS poisoning is only a matter of modifying a text file,
> and firing up the app..
>
> As for pharming, most sniffers can be used for this, though on a
> switched network some extra work may be required. Again, ettercap can
> handle the switched networks.
>
> If a network has effective IDS/IPS, and is actively monitoring for ARP
> anomalies and such, then that network _may_ discover an instance of
> ettercap running on it. Ettercap also can search for other instances of
> ettercap, amongst a whole lot of other things. I highly suggest you
> check it out.
>
> This would be a wee bit more difficult to do against a remote ISP.
>
>
> .times enemy
>
>
> David wrote:
>
> >http://hostsearch.com/news/logiguard_news_3177.asp
> >
> >This article makes a claim that DNS poisoning and pharming are really
> >dangerous in that anyone can be redirected from trying to go to their
> >online bank to a fake bank site where there login is collected. Is this
> >really such a threat or is it just Logiguard advertising themselves?
> >
> >Thanks,
> >
> >Dave
> >
> >
>
>
Received on Jun 06 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos