Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: info on ip spoofing please
From: "Neil Davis" <rg.viza () gmail com>
Date: Wed, 12 Apr 2006 11:42:25 -0400

  Hello all,
At
http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Spoofing/default.htm

was this comment :-

QUOTE "
Examples of spoofing:

man-in-the-middle
packet sniffs on link between the two end points, and can therefore pretend
to be one end of the connection "

My question is How can you sniff packets on a link that your machine is NOT
on ie NOT on the same subnet??

Why am I at a loss to understand this. Is there a command/software that
allows one to
say: sniff packets on port x of IP xxx.xxx.xxx.xxx ?

Please put me out of my agony on this.
Thanks for any info you can give.


Ian t
I think you misread the information, this part of it to be exact:
Examples of spoofing:

man-in-the-middle
packet sniffs ____on link between the two end points____, and can
therefore pretend
to be one end of the connection "

The answer to your question is you can't.

You can only do this on a machine that the traffic is flowing through.
Hence the name, "man-in-the-middle".

You need to comprimise a machine between the endpoints, such as a
firewall, router, or proxy, or one of the endpoints themselves so you
can sourceroute through a machine of your choosing (though if you have
comprimised an endpoint, this isn't necessary). You then run ettercap,
and can even read their SSL/SSH conversations and change data.
man-in-the-middle is a wicked attack. It's also fairly difficult to
get there, if the machines concerned are patched, up to date, and
securely configured, as so often they are not.

On ms proxy server, all you need to do is comprimise the proxy server.
The session ID's, if on query string, are logged, even when they are
via ssl, you can easily hijack a session that way, simply by looking
at the proxy log's recent entries, in a lot of cases (note: I am not
sure if ms proxy server does this on more recent versions, and I am
sure it's possible to turn this logging off). No packet analysis 
necessary.

-Viz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]