Re: Arp spoofing & dsniff

From: kumar mahadevan (kumar_mahadevan_6at_private)
Date: Mon May 06 2002 - 13:24:33 PDT

Next message: Ryan Russell: "Re: Arp spoofing & dsniff"

Previous message: Ryan Russell: "Re: Arp spoofing & dsniff"
In reply to: Ryan Russell: "Re: Arp spoofing & dsniff"
Next in thread: Ryan Russell: "Re: Arp spoofing & dsniff"
Next in thread: Sumit Dhar: "Re: Arp spoofing & dsniff"
Reply: Ryan Russell: "Re: Arp spoofing & dsniff"
Reply: Sumit Dhar: "Re: Arp spoofing & dsniff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

thanks for the reply.

I am new to this so purely going by the theory on
SANS.
http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm

Which says, that there are 3 ways to sniff on swicthed
networks.

    1. ARP spoofing.
    2. MAC flooding.
    3. MAC Duplicating.

number 2 is not an option.
number 1 is ok except I did not want risk breaking
Network connectivity even after enabling IP
Forwarding.

numer 3 is "supposed to be the easiest" since one just
changes to the NIC. Also according to this article
there is no need to ARP Spoof, if using MAC
Duplicating.

----->    Hence, back to the original question:
Even though your answer makes sense as well (although
the victim computer has lost NO connectivity yet. The
victim whose MAC address I have duplicated on my RH 7
box has full network connectivity, still)

----->    how do I now get Telnet sessions originating
from the victim to destination servers:23
    

thanks again 

kumar.


--- Ryan Russell <ryanat_private> wrote:
> On Mon, 6 May 2002, kumar mahadevan wrote:
> 
> > If I am on a Switched network and I change my MAC
> > address on my RH 7 box to the victim's (using
> > IFCONFIG). Now, how do I capture say for e.g
> Telnet
> > sessions between the victim and a server running
> > telnet service.
> 
> If you change your MAC address to be that of the
> victim (the box in the
> same broadcast domain as your attacking machine)
> then you will be fighting
> the victim for control of the MAC address in the
> switch.  The switch will
> alternately think that that MAC address is in one
> port, then another, as
> frames come in with that as a source address.  In
> general, you'll just
> make the victim unable to communicate, and yuo won't
> be able to monitor
> most of the traffic.
> 
> >
> > I don't want to ARP cache poison  nor MAC flood
> the
> > switch.
> 
> Then your best bet is to poison the ARP cache on the
> victim, to make it
> think you're the other box, or the router. 
> Configure your box to forward
> the packets so you don't break the communications.
> 
> 
> 					Ryan
> 


______________________________________________________________________ 
Games, Movies, Music & Sports! http://entertainment.yahoo.ca

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Ryan Russell: "Re: Arp spoofing & dsniff"
Previous message: Ryan Russell: "Re: Arp spoofing & dsniff"
In reply to: Ryan Russell: "Re: Arp spoofing & dsniff"
Next in thread: Ryan Russell: "Re: Arp spoofing & dsniff"
Next in thread: Sumit Dhar: "Re: Arp spoofing & dsniff"
Reply: Ryan Russell: "Re: Arp spoofing & dsniff"
Reply: Sumit Dhar: "Re: Arp spoofing & dsniff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 06 2002 - 14:15:27 PDT