Security Basics: Re: Network sniffing on the wire - managed switches

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt Buff wrote:
> There's probably better ways of doing it now, but it used to be true
> that you could flood the switch with MAC addresses, overwhelming the
> arp table. This would have the effect of turning the switch into a
> hub.
>
> See this link, for one description:
>
> http://www.watchguard.com/infocenter/editorial/135324.asp
>
> On Fri, Dec 26, 2008 at 11:10 AM, Tom Yarrish <tom () yarrish com> wrote:
> > Hey all,
> > This may come off as somewhat of a newbie question, but it's one I've been
> > curious about.
> >
> > When you are doing any sort of pen testing or sniffing on the wire, how do
> > you handle a managed switch scenario.  If you're connected to a switch on
> > one port, how can you monitor the traffic on the the other ports if you're
> > not in a monitor mode?  I've never understood how you can sniff traffic
> > other than the traffic from your machine to a destination.
> >
> > Thanks ahead of time,
> > Tom
I just said, first ARP poison the entire network to think you're the
switch. Second, do a flooding attack into the switch itself. Don't
resort in a single piece of software (although I use ettercap/nemesis
too), until you truly understand the whys and hows of the technique.

Sincerely.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJWjYIH+KgkfcIQ8cRAojpAJ9Bb4hNCjkJB9OnsWlIqglYlsOjaQCfYnHB
9EbOZUCYJAWzzk4+BsvGS0w=
=+kFr
-----END PGP SIGNATURE-----