Security Basics mailing list archives

RE: Caching a sniffer

From: "Andrew Shore" <andrew.shore () holistecs com>
Date: Thu, 25 Mar 2004 16:30:05 -0000

Agreed, however, any activity that tricks a switch port into "opening
up" usually requires someone to flood massive amount of traffic into the
switch, this should alert any network manager to some kind of wrong
doing plus in a large organisation all switches should be logging error
event to some form of management server.   



 
Andrew Shore
Senior Security Specialist
DDI. 01302 308 165
andrew.shore () holistecs com
 
 
 
Company Number 04943010
VAT Number 828 8635 82
 
 
Holistic Technologies Ltd
Unit 7 Shaw Wood Business Park
Shaw Wood Way
Doncaster
South Yorkshire
DN2 5TB
T. 0870 240 1442
F. 0870 240 1443
www.holistecs.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: 25 March 2004 16:21
To: Andrew Shore
Cc: security-basics () securityfocus com
Subject: RE: Caching a sniffer

A switch is not a hub/router. In fact it is a micro segmented bridge.

A switch operates at layer 2 of the OSI model ie MAC address layer.


  Amen, brother.

Therefore if someone has plugged a scanner into a network point they
will not be able to sniff any useful information from the network 
unless that person has admin access to the switch. You can check 
this by ensuring that none of the ports on the switches are in span 
mode


  While you need admin access to set up a span port, Shawn and I have
alluded to two different techniques which can allow non-admin users
to sniff traffic on a switched network.  It's true that neither of these
is quite "normal behaviour" -- they involve using special tools to
modify the behaviour of hosts or switches.  But the tools exist and
are readily available, and so the issue that confronts admins is how
to detect and/or frustrate their use.

David Gillett



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

RE: Caching a sniffer, (continued)
- - - RE: Caching a sniffer Byron Copeland (Mar 26)
    - Re: Caching a sniffer Aaron (Mar 29)
  - RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Andrew Shore (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
  - RE: Caching a sniffer David Gillett (Mar 26)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
  - RE: Caching a sniffer David Gillett (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
- RE: Caching a sniffer Andrew Shore (Mar 25)
- RE: Caching a sniffer Shawn Jackson (Mar 25)
  - RE: Caching a sniffer David Gillett (Mar 26)
- RE: Caching a sniffer Shawn Jackson (Mar 26)
- RE: Caching a sniffer Shawn Jackson (Mar 26)
- RE: Caching a sniffer Nero, Nick (Mar 26)
  - Re: Caching a sniffer aruna (Mar 29)
- Re: Caching a sniffer Mitchell Rowton (Mar 30)