----- Original Message -----
From: "Bopolissimus Platypus" <[EMAIL PROTECTED]>
To: "Philippine Linux Users Group Mailing List" <[EMAIL PROTECTED]>
Sent: Monday, September 29, 2003 10:13 PM
Subject: Re: [plug] eth0 on promiscuous mode
> On Monday 29 September 2003 22:09, Holden Hao wrote:
> > Would promiscuous mode matter on a switch? Except of course it may
> > indicate that a hacker tried to sniff packets hoping that you are on a
> > hub.
>
> right. it'd be an indication that you might have been rooted.
>
> i don't really know much about sniffing on switches. i've
> followed discussions that went into arp cache poisoning and
> such. i've seen some claims that switches don't buy you
> much and that there are still esoteric ways to sniff even
> on switched networks. but i never really understood the
> details.
>
> maybe fooler will chime in.
ok i will for the sake of educational purposes... i hope that after
explaining this, it will be use for GOOD intentions and not for the BAD
thing...
before i explain how to sniff between two computers that communicating with
each other in a switch environment... let us learn the basics (but not too
much basic) of an end-to-end communication... ok here it goes...
1) when the destination ip address doesnt belong to its subnet, it is the ip
address matters most...
2) when the destination ip address belong to its subnet, it is the mac
address matters most...
take a closer look at number two.. it is the mac address matters most.. when
the destination ip address belong within the subnet, the communication is
from sender's mac address to receiver's mac address.. there is no routing
involve here which is usually the ip address is being used... but before the
sender sends the data, it must know first the mac address of the receiver...
this is where ARP (address resolution protocol) comes in...
arp is a very simple protocol and consists of two basic message types: arp
request and arp reply
for example computer A sends a data to computer B and computer B is using ip
address 1.2.3.4.... computer A learned that computer B's ip address is
within the subnet... computer A will use the arp protocol instead deliver to
its default gateway:
computer A (arp request):
who has ip address 1.2.3.4?
arp request is using a broadcast message which will send to all ports of a
hub or a switch... now everybody is connected to it received that arp
request broadcast message... the one who owns that ip address will reply to
it using the arp reply message which is computer B... arp reply is a unicast
message...
computer B will reply like this:
computer B (arp reply) :
im the owner of ip address 1.2.3.4, here is my mac address a.b.c.d.e.f
after that, computer A will update its arp cache table that ip address
1.2.3.4 is mac address a.b.c.d.e.f and computer A's ethernet device will
directly delivered the data to computer B thru ethernet frames...
arp is a simple request-reply protocol without any security measures...
there is no authenticity whether the one replied is really the owner of that
ip address... anyone can claim within the subnet that im the owner of that
ip address... with tha,t lack of authentication, here comes the arp cache
poisoning...
arp cache poisoning is a technique where you altered one's host arp cache
table entry thru false arp reply which the host believes that you are the
owner of that ip address with corresponding mac address....
so what kind of attacks with this arp cache poisoning will create? these are
the followings:
1. denial of service attack
2. mac flooding attack
3. man in the middle attack
i will only discuss the man in the middle attack which i said above, i will
show to you how to sniff packets in a switch environment...
as example above, computer A communicates with computer B.... now the hacker
is on computer H... computer H will poison the arp cache table of computer
A and computer B... the hacker will poison computer A's arp cache table
that computer B ip address is computer H's mac address and will poison also
the computer B's arp cache table that computer A ip address is computer H's
mac address... the hacker will simply turn on the ip_forwarding to act as a
router so that it will accept foreign packets or ethernet frames... now when
computer A sends data to computer B since computer A's arp cache table
contained that computer B ip address which is bind to computer H's mac
address, the data will send to computer H... the hacker will simply copy
that data and forward it to computer B and vice versa... with this you can
sniff between two computers under the switch environment using the man in
the middle attack technique...
----- Original Message -----
From: "Orlando Andico" <[EMAIL PROTECTED]>
To: "Philippine Linux Users Group Mailing List" <[EMAIL PROTECTED]>
Sent: Monday, September 29, 2003 11:06 PM
Subject: Re: [plug] eth0 on promiscuous mode
> Switch == false sense of security.
not always true...
> It is still possible to sniff, except,
> a bit harder.
if you are really paranoid, use manual and static mac entry with no arp
cache timeout on your workstations, servers and switches (plus port
security on your switches) instead of using dynamic mac learning as
default... furthermore, use *arpwatch* to alert you for unusual arp
communications occured... with this you cant arp cache poisoning and arp
spoofing...
i hope that this will guide you to protect your network and not to use it
for bad intentions....
fooler.
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
