I feel like I've posted this 100 times to various lists whenever threads like this come up. If Robert Stone, the author of this presentation, is on this list, maybe he might want to release a more comprehensive paper for public consumption? http://www.nanog.org/mtg-9910/robert.html It is a presentation from a few years ago about how to build monitoring capabilities into ones network architecture. I think it could be updated to incorporate developments in MPLS VPN, and maybe some interesting policy management tool stuff. Alas, I don't have the toys to play with these things in anymore, but the slides offer some interesting insight into how easy it is to pluck a users stream out of the ether and silently examine it. On Tue, 16 Jul 2002, Fabio Pietrosanti (naif) wrote: :Date: Tue, 16 Jul 2002 17:43:51 +0200 :From: "Fabio Pietrosanti (naif)" <naifat_private> :To: pen-testat_private :Subject: Re: Using a Compromised Router to Capture Network Traffic : : :On Mon, Jul 15, 2002 at 10:43:49AM -0800, Penetration Testing wrote: :> Hi all. :> :> I have recently completed some experimentation into using a captured :> router to sniff network traffic on a remote network. This is in the same :> vein as Gauis' article in Phrack 56 (Things to do in cisco land when you :> are dead). :> :> I have tried to build on Gauis' work in that I terminated the GRE tunnel :> on a Cisco router instead of a *nix machine. I explored a couple of :> possible scenarios for this, the net result being that it is possible to :> remotely capture (bi-directional) network traffic using NO customised :> tools; all that is required is one cisco router with vanilla IOS, and a :> machine that can run snoop or tcpdump. : :Why having a "so complex" infrastructure ? : :All you need is linux 2.4.X kernel with netfilter and GRE support and the following tools: : :- iptables :- iproute2 :- any sniffing/hijacking tools ( ettercap, dsniff, hunt, ethereal ) : :Using this configuration you can do whatever you want: : :- create funny policy routing rules :- intercept traffic :- hijack traffic :- decrement TTL and manipulate traffic in many way :- insert NAT rules to eventually bypass firewall : :and you don't need to have a cisco router neither to have to cope with GRE :encapsulation :) : :Using a cisco router for hacking purpose is crazy, use linux! :) : : :Regards : : :-- : :Fabio Pietrosanti ( naif ) :E-mail: naifat_private - naifat_private :PGP Key (DSS) http://naif.itapac.net/naif.asc :-- : "Hacking is the future of security research" R.Power, CSI :Free advertising: www.openbsd.org Multiplatform Ultra-secure OS : :---------------------------------------------------------------------------- :This list is provided by the SecurityFocus Security Intelligence Alert (SIA) :Service. For more information on SecurityFocus' SIA service which :automatically alerts you to the latest security vulnerabilities please see: :https://alerts.securityfocus.com/ : -- -- batz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 16:54:00 PDT