[Snort-users] OT: Sniffing Switched Traffic

Dario Ciccarone dciccaro at ...1389...
Wed Apr 11 17:31:34 EDT 2001


Dan, you're right about setting what's called "port security", ie, allowing only a set of specific MAC addresses on a switch port. but  you do not have to spoof MAC addresses, just send fake ARP reply messages stating that your MAC address is paired with your target IP address . . .

example:

attacker                MAC = 00AA00 101010             IP = 10.10.10.10
client                  MAC = 00AA00 101020             IP = 10.10.10.20
server          MAC = 00AA00 101030             IP = 10.10.10.30

to capture all data from client to server, you just have to send fake ARP replys, saying that IP 10.10.10.30 is assigned to MAC 00AA00 101010. this way, client is going to encapsulate IP datagrams on Ethernet frames directed to the attacker MAC address. the attacker can then copy the IP data & resend the IP Datagram, this time using the server MAC address as Ethernet destination address.

one way to prevent this (besides, obviously, using encryption, not to prevent the attack, but to render it useless) would be to set a static mapping on client for server IP <-> MAC address (precondition: client does not accept an ARP reply if already has a static mapping on its ARP cache)



At 12:39 4/11/2001 -0700, Dan Hollis wrote:
>On Wed, 11 Apr 2001, Bill Marquette wrote:
>> Check out http://www.monkey.org/~dugsong/dsniff - switches aren't useful for
>> security, only for bandwidth utilization.  If it's non-encrypted traffic (as
>> telnet is) you should be able to own his box in under 30 seconds of getting
>> dsniff compiled and installed.
>
>With manageable switches you can lock mac addresses to specific ports, and
>render dsniff worthless.
>
>Also -- dsniff doesnt work on all switches.
>
>-Dan
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>http://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010411/54db1b43/attachment.html>


More information about the Snort-users mailing list