RE: packet sniffing help needed.

["David Gillett" <gillettdavid () fhda edu>]

  Sniffing dial-up presents its own challenges.  [Hayes used
to have a modem config option to let a modem passively listen
in on a call, but most other manufacturers didn't copy it.]

>  C1< ----- > C3

  That's a good logical diagram, but misses a lot of physical 
detail.  A closer approximation would be something like

  C1< -- > R1 < -- > R2 < ... > Rn < -- > I < -- > C3

where the Rs are routers, and the I is infrastructure at C3's
location -- switches, other hosts, etc.
  So what C2 might to do is compromise any of those routers (since
determining the path between C1 and C3 is probably hard, R1 and
Rn are the best choices if C2 is looking for specific traffic),
or C1 or C3 themselves, or some component in I that is able to
see (or hijack) C3's traffic.

  C2 *could* put himself in the middle by doing something like
DNS poisoning to mislead C1 and C3 to send the traffic to/through
it, but he could also subvert one of the boxes the traffic already
goes through.  In either case, the traffic being unencrypted means
that as soon as it's sniffed, it's game over.

David Gillett



> -----Original Message-----
> From: Mark Knowles [mailto:ghooti () googlemail com] 
> Sent: Tuesday, December 06, 2005 2:39 AM
> To: security-basics () securityfocus com
> Subject: packet sniffing help needed.
>
> Hi all,
>
>  I have been thinking about packet sniffing and packet 
> capture - it is because of all of those alerts in IE - you 
> know the ones - This page is not encrypted and a 3rd party 
> might be listening.
>
>   I have been doing some googling and not really found much, 
> but then I am not too sure what I am looking for.
>
>  This is the setup I want to explore.
>
> Comp1(victim1) = Windows xp box, Connected via dial up to a free ISP
> Comp2(attacker) = windows/*nix, connected via broadband to 
> different ISP than comp1
> Comp3(webserver/victim2)
>
>  C1< ----- > C3
>
>  C2---|
>
> The image above is my attempt at ascii art - I suppose it 
> represents the old style wiretap method. where C1 and C3 
> communicate unaware that their data is being listened to by 
> C2. C2 has no power to modify the information.
>
>  Is this sort of sniffing possible?  or would it have to be more like
>
>  C1 < --- > C2 < --- > C3
>
> Which is how i see MITM attacks working. - I suppose this 
> would be akin to having the telephone operator relay the 
> message, or a language interpreter changing the message 
> between clients.
>
>  I am currently only looking for http data, although i am 
> assuming that I will have to filter that after I have gotten it all.
>
>   I do not want to mess with the data, I would just like to view it. 
> Would this still count as a MITM attack?
>
>   I know its all a bit Hollywood, but i am really curious to 
> see what information i am transmitting (non https) - and what 
> those warnings really mean, are they of the McDonald$ coffee 
> "caution contents is hot" type thing? which i have to say is 
> how i view them.  I understand how proxies cache and transmit 
> data - are the warnings just about them?
>
> Any advice/ideas/whacking with a lart/etc, greatly received :)
>
>  Thanks,
>
>  Mark.