Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Layer 3 Sniffing
From: Dave Ryan <dave () DEFAULT ORG UK>
Date: Thu, 28 Sep 2000 23:50:33 +0100


| Dave Ryan                     |
| Default Security              |
| http://www.default.org.uk     |

On Thu, 28 Sep 2000, Justin Funke wrote:

I have been doing some research on sniffing switched networks and I have
a quick question that has presented itself.

Now that the new switches are using Layer 3 switching technology with
ABC (Automatic Broadcast Control) how are you able to forward your
broadcast packet to the other clients to request the traffic you want to
sniff if the switch is stopping the broadcast and answering the request
you are attacking the switch at L2 thus by passing any of the L3
that the switches imply.

are number of possibilities exist depending on the switch, some might be
vulnerable to mac_of attacks which basically means over populating the mac
table (or CAM on cisco's - content addressable memory) which would cause
switch to stop switching as such and fall into an open state like a hub
would allow for normal switchin etc. (2nd) if you have access to the
switch you
could set it into span mode (again on cisco's) which would allow you to
redirect all traffic on a switch to a single port - this is for
admin/monitoring purposes etc.

now the fun way is to use some of the great tools out there, my favourite
fragrouter and arpredirect (can i just take this time to say dug song
and any sniffer - dsniff etc. At this point its is possible to spoof the
hardware address (by updating the mac states quicker than the real host)
your target (in most cases the gateway/router) and keep a static entry of
address in your mac table. once the ethernet traffic is being redirected
to you
its simply a matter of setting yourself up as a transparent bridge for
what of
a better statement (its 9:30 and the pub is calling me), at which point
traffic is redirected through you and on to the gateway - your friendly
neighbourhood sniffer comes into play here and just captures your intended
traffic etc etc blah blah..you gt the idea, if you dont email me.


Or I am missing something here?


Justin Funke

#include <disclaimer.h> //etc

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]