Security Basics mailing list archives
RE: Caching a sniffer
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 24 Mar 2004 11:06:10 -0800
... if you redefine "router" to include a concept similar to "layer 2
router", at
which many people will look at you rather strangely. The term normally
refers to a
layer 3 packet-forwarder which rewrites packets, whereas switches are
multiport
bridges that forward frames, without rewriting, based on the
destination
MAC address.
But you have wire speed layer 2 switches, which most (large) networks use are their core switch. Then you have lower end switches that actually look at the IP information to forward the packet to the correct port. So indeed the vast majority of switches have a layer 3 routing mechanism in them. Most routers don't re-write the packet, they just forward them on the interface their protocols tell them to.
Switches "learn" what MAC addresses are on what port by collecting
source addresses
from frames into a table. Traffic will be flooded to all ports if the
destination MAC
address is not in the table.
If the switch cannot learn the MAC and other responding switches don't have the MAC in table the packet is either forwarded to the default router or dropped.
But this is not the only possible reaction of a switched network to macoff! If Cisco's port security is enabled, the switch may just shut down the port running macoff.
Correct, but how many switches have Port-Security? I have on my Cisco's, but my Bay Network and HP switches don't have that facility. port-security will just kill the port if an unauthorized ARP-to-MAC is detected or a ARP notified limit has been exceeded. Port-Security can easily break large interconnected networks using legacy technology connected to the switch, i.e. old hubs with multiple systems connected to a single switch port.
If the network consists of multiple switches, something like macoff may
prompt a
spanning-tree reconvergence, disrupting the entire network for 30
seconds or so.
I'm sure there are other possibilities depending on
manufacturer/model/firmware of
the switches in the network.
Spanning tree will not work on the switch inflicted by macoff. Because macoff attacks the 'memory' of the switch, to keep the network operational it shuts down the switch system, which spanning tree relies on. The problem is, when this happens the once disabled redundant route on the switch would be enabled and cause serious network loops.
Personally, if I had to sniff traffic on a switched network without
admin access, I'd prefer to use
arp poisoning, a la ettercap. The MAC address tables on the switches
go right on functioning
normally, just all of the traffic to/from the client you're interested
in gets sent to the
sniffer machine's MAC address and forwarded to the intended destination
from there, with minimal
impact on other network traffic or performance. About the only
visibility is if the victim
happens to run "arp -a" and understands what they're seeing.
Same, only problem with that is you need to know the system your trying to listen to. Port security also will stop this sniffing as well. If I know what system and data I'm looking for, arp poisoning works well, and is nice and stealthy. But if I have no clue, macoff or similar, are a better bet. Just as long as the network isn't too large or complex. I've tested network security using macoff and an earlier UNIX tool against Cisco switches. To my knowledge this hasn't been fixed (besides using port security), but it was a few years ago I did the testing (2000-2001). Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Caching a sniffer, (continued)
- RE: Caching a sniffer David Gillett (Mar 24)
- Re: Caching a sniffer Patrick Toomey (Mar 24)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
- RE: Caching a sniffer Burton M. Strauss III (Mar 25)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 24)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 24)
- RE: Caching a sniffer Fernando Gont (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer Andrew Shore (Mar 25)
- RE: Caching a sniffer Paul Blackstone (Mar 25)
- RE: Caching a sniffer Byron Copeland (Mar 26)
- Re: Caching a sniffer Aaron (Mar 29)
- RE: Caching a sniffer Paul Blackstone (Mar 25)
- RE: Caching a sniffer David Gillett (Mar 25)