> http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm > Which says, that there are 3 ways to sniff on swicthed networks. > 1. ARP spoofing. > 2. MAC flooding. > 3. MAC Duplicating. I had read that article some time back. The options 1 and 2 make sense but 3 somehow doesnt seem to. Honestly speaking I wouldn't try MAC flooding too often. It might not be worth it. If you just want to see how your network behaves fine, but if you really want to sniff MAC flooding can cause a real problem on the network in terms of performance. Also I personally wouldn't ARP spoof the whole network. It is possible that there are some servers on the network which hold sensitive information and might be running programs like arpwatch. No sense triggering them off if all you want to do is capture data flowing from machine A to machine B. Why not just arpspoof these machines. When you try MAC duplicating, then you will both start competing for the data on the switch. Also by duplicating the victims MAC, you cannot capture the data he is sending. Let me explain this a little: A: The victim's Machine. B: The machine with which victim is communicating. C: You D: Gateway If the victim is communicating with B, what is happening is as follows: I) A --> B Packets flowing from A to B II) B --> A Some packets flowing from B to A Now you are spoofing A's MAC. You only get packets shown by II in the diagram. I am sure a 50% solution is not what you are seeking? :) > numer 3 is "supposed to be the easiest" since one just > changes to the NIC. Also according to this article > there is no need to ARP Spoof, if using MAC > Duplicating. That sounds like crap! > -----> how do I now get Telnet sessions originating > from the victim to destination servers:23 You are on a switched network right? Use arpspoof to spoof the gateway. arpspoof -t A D where A is the IP address of the victim and D is the IP of the gateway. Enable IP forwarding. Once you have done that, you can use a tool like hunt to sniff the connection. There are thousand other tools to do this job.. I just said the first one that came to mind. (Oh, hunt also allows you to hijack sessions. That is another advantage) Remember a local network connection which doesnt use the gateway will be impervious to this attack. Cheers, <a href=http://dhar.homelinux.com/dhar/>Sumit Dhar</a> Manager, Research and Product Development, SLMsoft.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 09:13:51 PDT