Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Redirecting traffic
From: "Liam Randall" <lrandall () isa-inc com>
Date: Tue, 9 Aug 2005 09:56:49 -0400

If you are testing against a live setup there are a couple of ARP spoofing issues you really need to be careful about- 
the ASICs in many older switches only support one global MAC address table.  Attached is a post I made to INET in 
4/21/2003 about this issue on HP 4000Ms; when I talked to the HP engineers about this they said their newer switches, 
specifically 4100gl's (and most others), will replicate traffic out to "both" ports that have the same MAC address.  As 
noted below, in the firmware at the time you could even do this across VLANs!!  I have no idea if they ever fixed this 
or not.

Just hate to see ya accidentally DOS the application.

Liam Randall
Network Engineer

<-- Looked for an online link to this thread but the archive only goes back to July of '03 --->

I learned this one the hard way: HP 4000m's only have one forwarding table per switch.  To make sure were on the same 
page, I believe that what you are concerned about is this:

User on port A1 has MAC AA:AA:AA:AA:AA:AA
User on port B1 wants to sniff his traffic, so he crafts a packet, replies to an arp request, etc., that MAC 
AA:AA:AA:AA:AA:AA is on B1.
On a 4000m the traffic will now actually be rerouted so that it now _only_ goes out on port B1; even if they are on 
different VLANS!

On the plus side you won't miss that happening.  You don't need to explicitly monitor for it, if it happens you'll 
know.  The machine in question will seemingly disappear from the network, etc.; I'd explicitly watch SNMP if you're 
having problems w/ this now.

On the negative side this means that one hosted customer (or whatever your situation) can cause severe problems for 
another one.

If this does happen, on the 4000m it will 'flap' (I think that's the term for it), the ports back and forth as each 
port reports that it has MAC address AA:AA:AA:AA:AA:AA on it.  A second level tech told me that he thought that it was 
a hardware limitation; however I don't know that for a fact.  They may have fixed this in a recent firmware release; 
they did confirm that the most recent series of switches (5800's maybe?) supported multiple tables.

I ran into this error configuring the 'secret' options on a SonicWall Firewall ProVX; there is a hidden page that 
allows you to toggle whether the 'LAN' side and the 'WAN' side have the same MAC address.  YMMV, however with the 
firmware that I was on at the time it defaulted to 'LAN MAC'='WAN MAC'.  I used the device to 'bridge' between a public 
VLAN and a private VLAN; although I think I just explained why that might be a bad idea.  :)

To be fair I have to point out that, besides this, these are great inexpensive modular managed switches.  Full 
featured, easy to manage, configure, and monitor.  HPs support on them has been top notch.


Thanks,

Liam G. Randall
Manager, Information Systems
Industrial Services of America


-----Original Message-----
From: Daniel J. Vance [mailto:techlists () rvi net]
Sent: Friday, April 18, 2003 7:47 PM
To: inet access
Subject: arp poisoning/sniffing on network with HP 4000m --djv


Hi,

We are concerned that people can sniff on our network by poisoning the arp
cache.  Aside from statically creating arp tables, what other defenses do we
have?  I've read about mac binding, is that the same as port security?  If
so, port security on the 4000m doesn't seem like it will limit arp spoofing.

I look forward to peoples input.

-Daniel

----------------------------------------------
Daniel J. Vance, CCNA | dvance () uci net
Network Administrator | http://www.uci.net
541-472-0733          | UNICOM (ASN 14342)

-
Send 'unsubscribe' in the body to 'list-request () inet-access net' to leave.
Eat sushi frequently.   inet () inet-access net is the human contact address.
-
Send 'unsubscribe' in the body to 'list-request () inet-access net' to leave.
Eat sushi frequently.   inet () inet-access net is the human contact address.


<---- END PASTE ---->


-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r () gmail com]
Sent: Sunday, August 07, 2005 8:07 AM
To: Andres Molinetti
Cc: pen-test () securityfocus com
Subject: Re: Redirecting traffic


Hello Andrés,

I wold say that if you ARP-spoof the client, you will be able to
perform a full man-in-the-middle attack betwee the client and the
server on Layer 2 (no layer 3 - routing, IP) changes needed.

An application like ettercap should be a good beginning for this. It
is really easy to use and you ca find plenty of doc just by googling.

Regards,
Rodrigo.

On 8/5/05, Andres Molinetti <andymolinetti () hotmail com> wrote:
I am pen-testing a client application and I 've found, analysing traffic
dumps, that it seems to connect to a hardcoded internal IP and retrieve data
from a strange port that is afterwards displayed in the application.
I want to be able to redirect that traffic to another IP in order to test it
for overflows and other issues.
I have found a way to change the default gateway of the application's host.
So I thought of setting my linux box as its gateway and using iptables to
redirect the traffic to the other IP.
I'm needing help with the building of the rules...

Thks,
Andy

_________________________________________________________________
Descubre la descarga digital con MSN Music. Más de medio millón de
canciones. http://music.msn.es/


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------



------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]