Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: RE: info on ip spoofing please
From: "Ian stuart Turnbull" <ian.t7 () hotmail co uk>
Date: Wed, 12 Apr 2006 23:50:03 +0100


very informative - thanks, time for another google or two methinks

From: "Arley Barros Leal" <arley.leal () sonae com>
To: "Neil Davis" <rg.viza () gmail com>,<full-disclosure () lists grok org uk>
Subject: RE: [Full-disclosure] RE: info on ip spoofing please
Date: Wed, 12 Apr 2006 18:34:18 +0100
MIME-Version: 1.0
Received: from lists.grok.org.uk ([195.184.125.51]) by bay0-pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 12 Apr 2006 10:35:44 -0700 Received: from lists.grok.org.uk (localhost [127.0.0.1])by lists.grok.org.uk (Postfix) with ESMTP id 8F5847F0;Wed, 12 Apr 2006 18:34:48 +0100 (BST) Received: from lx1ims003.optimus.pt (unknown [62.169.69.2])by lists.grok.org.uk (Postfix) with SMTP id 1827665Bfor <full-disclosure () lists grok org uk>;Wed, 12 Apr 2006 18:34:24 +0100 (BST) Received: from lx1exc2k002.optimus.pt ([172.1.50.60]) by lx1ims003.optimus.ptwith Microsoft SMTPSVC(6.0.3790.1830); Wed, 12 Apr 2006 18:34:22 +0100
X-Message-Info: JGTYoYF78jFmtBMFo4GmdOynvjSOVJHCmW32J3J6SBs=
X-Original-To: full-disclosure () lists grok org uk
Delivered-To: full-disclosure () lists grok org uk
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Full-disclosure] RE: info on ip spoofing please
Thread-Index: AcZeR9NaK93s4y6ITICFJFdEY+MvWwACqnkg
X-OriginalArrivalTime: 12 Apr 2006 17:34:22.0714 (UTC)FILETIME=[562615A0:01C65E57]
X-BeenThere: full-disclosure () lists grok org uk
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: An unmoderated mailing list for the discussion of security issues<full-disclosure.lists.grok.org.uk> List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists grok org uk?subject=unsubscribe>
List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
List-Post: <mailto:full-disclosure () lists grok org uk>
List-Help: <mailto:full-disclosure-request () lists grok org uk?subject=help>
List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists grok org uk?subject=subscribe>
Errors-To: full-disclosure-bounces () lists grok org uk
Return-Path: full-disclosure-bounces () lists grok org uk

My 2 cents...

Using ARP Cache Poisoning can actually force traffic to flow trough your host,
The man may get into the middle at any time in this scenario :-) ARP Cache
Poisoning/CAM Floodind/DHCP,BOOTP Spoofing is old school, but some, still very
effective on most of today's networks. You may wish to play around with
Cain&Able, dsniff, hunt etc..

Some not so old attacks explore protocols like STP/VTP/DTP/HSRP. One may use Vlan hoping/jumping attacks to trunk traffic from different VLANs, this will
let the attacker sniff traffic from remote broadcast domains as far as they
participate on the same VTP domain.

Cheers..


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Neil Davis
Sent: quarta-feira, 12 de Abril de 2006 16:42
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] RE: info on ip spoofing please

>   Hello all,
> At
> http://www.iss.net/security_center/advice/Underground/Hacking/Methods/
> Technical/Spoofing/default.htm
>
> was this comment :-
>
> QUOTE "
> Examples of spoofing:
>
> man-in-the-middle
> packet sniffs on link between the two end points, and can therefore
> pretend to be one end of the connection "
>
> My question is How can you sniff packets on a link that your machine
> is NOT on ie NOT on the same subnet??
>
> Why am I at a loss to understand this. Is there a command/software
> that allows one to
> say: sniff packets on port x of IP xxx.xxx.xxx.xxx ?
>
> Please put me out of my agony on this.
> Thanks for any info you can give.
>
>
> Ian t
I think you misread the information, this part of it to be exact:
Examples of spoofing:

man-in-the-middle
packet sniffs ____on link between the two end points____, and can therefore
pretend to be one end of the connection "

The answer to your question is you can't.

You can only do this on a machine that the traffic is flowing through.
Hence the name, "man-in-the-middle".

You need to comprimise a machine between the endpoints, such as a firewall,
router, or proxy, or one of the endpoints themselves so you can sourceroute
through a machine of your choosing (though if you have comprimised an
endpoint, this isn't necessary). You then run ettercap, and can even read
their SSL/SSH conversations and change data.
man-in-the-middle is a wicked attack. It's also fairly difficult to get there, if the machines concerned are patched, up to date, and securely configured, as
so often they are not.

On ms proxy server, all you need to do is comprimise the proxy server.
The session ID's, if on query string, are logged, even when they are via ssl, you can easily hijack a session that way, simply by looking at the proxy log's recent entries, in a lot of cases (note: I am not sure if ms proxy server does this on more recent versions, and I am sure it's possible to turn this logging
off). No packet analysis necessary.

-Viz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


<< smime.p7s >>




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://join.msn.com/messenger/overview

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]