RE: Caching a sniffer

["Shawn Jackson" <sjackson () horizonusa com>]

> ... if you redefine "router" to include a concept similar to "layer 2
router", at 
> which many people will look at you rather strangely.  The term normally
refers to a 
> layer 3 packet-forwarder which rewrites packets, whereas switches are
multiport 
> bridges that forward frames, without rewriting, based on the
destination 
> MAC address.

But you have wire speed layer 2 switches, which most (large) networks
use are their 
core switch. Then you have lower end switches that actually look at the
IP information
to forward the packet to the correct port. So indeed the vast majority
of switches
have a layer 3 routing mechanism in them. Most routers don't re-write
the packet, 
they just forward them on the interface their protocols tell them to.

> Switches "learn" what MAC addresses are on what port by collecting
source addresses 
> from frames into a table.  Traffic will be flooded to all ports if the
destination MAC 
> address is not in the table.

If the switch cannot learn the MAC and other responding switches don't
have the MAC in
table the packet is either forwarded to the default router or dropped.

> But this is not the only possible reaction of a switched network to 
> macoff!  If Cisco's port security is enabled, the switch may just shut 
> down the port running macoff.

Correct, but how many switches have Port-Security? I have on my Cisco's,
but my Bay Network
and HP switches don't have that facility. port-security will just kill
the port if
an unauthorized ARP-to-MAC is detected or a ARP notified limit has been
exceeded. Port-Security
can easily break large interconnected networks using legacy technology
connected to the
switch, i.e. old hubs with multiple systems connected to a single switch
port.

> If the network consists of multiple switches, something like macoff may
prompt a 
> spanning-tree reconvergence, disrupting the entire network for 30
seconds or so.  
> I'm sure there are other possibilities depending on
manufacturer/model/firmware of 
> the switches in the network.

Spanning tree will not work on the switch inflicted by macoff. Because
macoff attacks the 'memory'
of the switch, to keep the network operational it shuts down the switch
system, which spanning tree
relies on. The problem is, when this happens the once disabled redundant
route on the switch would 
be enabled and cause serious network loops.

> Personally, if I had to sniff traffic on a switched network without
admin access, I'd prefer to use 
> arp poisoning, a la ettercap.  The MAC address tables on the switches
go right on functioning 
> normally, just all of the traffic to/from the client you're interested
in gets sent to the 
> sniffer machine's MAC address and forwarded to the intended destination
from there, with minimal 
> impact on other network traffic or performance.  About the only
visibility is if the victim 
> happens to run "arp -a" and understands what they're seeing.

Same, only problem with that is you need to know the system your trying
to listen to. Port security
also will stop this sniffing as well. If I know what system and data I'm
looking for, arp poisoning
works well, and is nice and stealthy. But if I have no clue, macoff or
similar, are a better bet.
Just as long as the network isn't too large or complex.

I've tested network security using macoff and an earlier UNIX tool
against Cisco switches.
To my knowledge this hasn't been fixed (besides using port security),
but it was a few years ago
I did the testing (2000-2001).

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------