Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca
You are wrong.
I use "hunt" on a regular basis in my labs to do intercept and
modify packets i use it frequently. (hunt==ettercap but it is easier
to to intercept and modify) I only use it in a well isolated test lab.
Just bloody fill in the hook in arp_spoof.c (in hunt) and modify the
packet, then recalculate the tcp/udp and ip checksum and you are ok.
That is how i test NFS implementations for protocol specification
compliance for corner case compliance.
However, there IS a real world chance that people that do not
understand what arp spoofing does, to cause a serious disruption of
their network infrastructure!
Do you know the ARP table timeout for the 10-15 most polular unix
versions? I do.
When and why does solaris update its arp table? on unsolicited
requests/responses? when does it? i know. version by version,
patch by patch. its my job to know.
fact is most people using arpspoofing have no clue of the consequences
of it when they just -9 the tool without first reloading the
arptables with the original entries and thus cause outages.
still, anyone doing it in a prod network is stupid. they are. no
question about it.
look, arpspoofing is potentially VERY disrupting to the network. DO
NOT, please, use it unless it is a non-business critical private
network.
==>
1, unless you really really know what you are doing, arpspoofing is stupid.
2, if you think you know what you are doing 99% probability says you
are stupid and just wrong.
3, do you know the consequences of a failed arp spoof attempt in a
real production environment?
4, do it on a business critical network and ...
5, DONT arpspoof unless it is your own play test network.
On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> have you ever tried it? i don't think so.
>
> as i said earlier, you are not going to bring down the whole network
> even if something goes wrong. only the communication between the
> machines being attacked i.e. target machines is going to be affected.
>
> I'll add a warning to the presentation: "this is not for the kids".
> It's certainly not for the kids.
>
> ~manu
>
> On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > start doing arp spoofing and kill ettercap or hunt with a -9 and
> > watch the end-to-end outage that occurs and will last until the arp
> > entry timeout (10-15 minutes).
> >
> > very very ugly.
> >
> > dont dont dont ever do this unless you know what you are doing.
> > never ever ever ever do this in a business critical network, ever.
> >
> >
> > On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > > I don't believe that. Arp poisoning is not ugly. You can call MAC
> > > flooding as ugly, but not ARP poisoning for sure.
> > >
> > > ARP poisoning does nothing to the switch. Switches work at level 2 and
> > > are only concerned about MAC addresses. They don't come to know that
> > > MAC address of a certain IP address has changed.
> > >
> > > ARP poisoning can confuse only the involved hosts. If gateway is one
> > > of those hosts and someone attempting to ARP poison is a kid, then
> > > certainly there can be some problems.
> > >
> > > hth
> > > ~manu
> > >
> > > On 6/16/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> > > > Manu Garg wrote:
> > > >
> > > > >Many of us know that sniffing is possible in a shared i.e.
> > > > >non-switched ethernet environment. But only few of us know that
> > > > >sniffing is also possible in a switched ethernet environment. One of
> > > > >the reasons is that it's not that straighforward. But it's not
> > > > >impossible or difficult. You can use man in the middle technique like
> > > > >ARP spoofing to sniff in a switched environment.
> > > > >
> > > > >
> > > > >This presentation is an attempt to explain how can somebody sniff in a
> > > > >switched ethernet using ARP spoofing. Dsniff has existed for long as a
> > > > >tool for various sniffing activities. But recently, tools like
> > > > >EttercapNG have made it easier.
> > > > >
> > > > >
> > > > >Link to my original post and presentation -
> > > > >http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html
> > > > >
> > > > >Presentation-
> > > > >http://manugarg.freezope.org/notes/arp_spoofing
> > > > >
> > > > >Please let me know your views on it.
> > > > >
> > > > >
> > > > Yes it is possible, but it is really ugly for it's various side effects.
> > > >
> > > > Have a look at the information on this topic so far at:
> > > > http://wiki.ethereal.com/CaptureSetup_2fEthernet
> > > >
> > > > As the wiki page says:
> > > >
> > > > *Please do not try this on any LAN other than your own.*
> > > >
> > > > Regards, ULFL
> > > >
> > >
> > >
> > > --
> > > Manu Garg
> > > http://manugarg.freezope.org
> > > "Truth will set you free!"
> > >
> > > _______________________________________________
> > > Ethereal-users mailing list
> > > Ethereal-users@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > >
> >
>
>
> --
> Manu Garg
> http://manugarg.freezope.org
> "Truth will set you free!"
>