mailing list archives
Re: DNS cache poisoning and pharming
From: Tom Van de Wiele <tom.vandewiele () gmail com>
Date: Mon, 6 Jun 2005 13:43:42 +0200
Keeping in mind that for all of this you will need to be on the same
segment as your target(s) which begs the question: how was this person
able to connect to the LAN in the first place. If someone can connect
to your LAN, the jig is up.
Unless you're using some form of 802.1x technology, layer 2 is and
stays the weakest link. Imagine the damage if a workstation connected
to a LAN segment and claims himself as the first node in the STP
Someone who keeps an eye on his switches and has SNMP traps configured
can easily see the ARP storm you're generating using Ettercap or
dsniff. The only thing you need is a dhcpd running on the attackers
machine. A new client broadcasts its DHCP request, you answer and
deliver the IP address of the DNS server the victim has to use, you
enable IP forwarding to make it a full monkey-in-the-middle if you
want to and nobody will detect a thing.
Bottom line for me: if the attacker was able to connect to the LAN,
you either have a weak policy towards network connectivity, vulnerable
communication lines or a CSO and/or security administrator(s) who
aren't doing their job.
Tom Van de Wiele
Security Consultant, CISSP
tom.van.de.wiele (AT) uniskill.com
On 5/31/05, Times Enemy <times () krr org> wrote:
Using Ettercap, DNS poisoning is only a matter of modifying a text file,
and firing up the app..
As for pharming, most sniffers can be used for this, though on a
switched network some extra work may be required. Again, ettercap can
handle the switched networks.
If a network has effective IDS/IPS, and is actively monitoring for ARP
anomalies and such, then that network _may_ discover an instance of
ettercap running on it. Ettercap also can search for other instances of
ettercap, amongst a whole lot of other things. I highly suggest you
check it out.
This would be a wee bit more difficult to do against a remote ISP.
This article makes a claim that DNS poisoning and pharming are really
dangerous in that anyone can be redirected from trying to go to their
online bank to a fake bank site where there login is collected. Is this
really such a threat or is it just Logiguard advertising themselves?