Penetration Testing mailing list archives
RE: Using a Compromised Router to Capture Network Traffic
From: "Jeremy Junginger" <jjunginger () interactcommerce com>
Date: Mon, 15 Jul 2002 13:16:44 -0700
Have you played with any utilities that can modify the ttl to ensure that admins do not notice the decremented ttl? Just a suggestion. Aside from this, I consider it a very creative use of policy routing. It may actually be a bit more secure if you were to configure an IPsec connection (or Cisco's older IOS encryption if IPsec is not available) rather than/on top of GRE (which IS available on nearly all IOS revisions). Nice paper overall! -Jeremy -----Original Message----- From: Axel Dunkel [mailto:ad () Dunkel de] Sent: Monday, July 15, 2002 11:52 AM To: Ryan_Moffett () stercomm com Cc: pen-test () securityfocus com Subject: RE: Using a Compromised Router to Capture Network Traffic
Is this hosted on an alternate site other than the geocities site which has exceeded the xfer limit?
For a while, I have put it on http://www.Dunkel.de/download/GRE_sniffing.doc to help out. Best regards, Axel Dunkel
-----Original Message----- From: Penetration Testing [mailto:pentest () infosecure com au] Sent: Monday, July 15, 2002 2:44 PM To: pen-test () securityfocus com Subject: Using a Compromised Router to Capture Network Traffic Hi all. I have recently completed some experimentation into using a captured router to sniff network traffic on a remote network. This is in the same vein as Gauis' article in Phrack 56 (Things to do in cisco land when you are dead). I have tried to build on Gauis' work in that I terminated the GRE tunnel on a Cisco router instead of a *nix machine. I explored a couple of possible scenarios for this, the net result being that it is
possible to remotely capture (bi-directional) network traffic using NO
customised tools; all that is required is one cisco router with vanilla IOS, and a machine that can run snoop or tcpdump. Anyway, if anyone is interested, the document describing the experiment and results is available at http://www.geocities.com/david_taylor_au/ (Word 2000 format). Or, contact me. Regards, Dave Taylor ---------------------------------------------------------------------- ------ This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/ ---------------------------------------------------------------------- ------ This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
--- Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99, E-Mail: ad () Dunkel de ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Attachment:
smime.p7s
Description:
Current thread:
- Using a Compromised Router to Capture Network Traffic Penetration Testing (Jul 15)
- Re: Using a Compromised Router to Capture Network Traffic Fabio Pietrosanti (naif) (Jul 16)
- <Possible follow-ups>
- RE: Using a Compromised Router to Capture Network Traffic Moffett, Ryan (Jul 15)
- RE: Using a Compromised Router to Capture Network Traffic Axel Dunkel (Jul 15)
- RE: Using a Compromised Router to Capture Network Traffic Jeremy Junginger (Jul 15)
- RE: Using a Compromised Router to Capture Network Traffic Jeremy Junginger (Jul 15)