Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Manu Garg <manugarg@xxxxxxxxx>
Date: Fri, 17 Jun 2005 00:30:56 -0400
On 6/17/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> no
> 
> 
> arp spoofing is trivial
> it has been done for at least 5+ years with easy to use tools. such as
> hunt and more recent tools such as ettercap and friends.

i think dsniff was most widely used tool some time ago and probably
still is. but i think, there is more scope for human error in case of
dsniff.

> it is still dangerous.
> arpspoof A<->B and -9   ettercap or whatever and it might take 10-15
> minutes before A may communicate with B again.
> 

exactly what i am saying. even if somebody does kill -9, only
communication between A and B will suffer. and it may take that long
only on solaris.
 
> As for solaris,    though 826 says a host SHOULD use all info to keep
> all info up to date,
> solaris does not track both requests and responses. solaris will only
> use one of those types to keep the arp table uptodate and ignore the
> rest. which ones?
> 
> Solaris is also peculiar in that once it has entered/modified an arp
> entry it will disregard any conflicting arp traffic for X number or ms
>   regardless of whether it triews to change the netry or not.
> 
> 
> Question:   what does solaris do just prior to timing out an arp entry?
> a, nothing
> b, something unicast
> c somthing broadcast
> 
> answer is b.

nobody is supposed to do kill -9. unix is not for fools, you know
that. what if somebody does 'rm -rf /' ;-)

DON'T DO IT!!

> On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > Tell me, how can it affect the whole network until unless you are
> > doing something so stupid as telling all the machines on the network
> > that you are the gateway and you run away.
> >
> > did you read the presentation? there is a mention of solaris systems.
> > I have mentioned that solaris doesn't update it's arp table so easily.
> > but, good thing about ettercap is that it handles most of the things.
> >
> > in the presentation -- i am also not depending on ettercap to forward
> > packets. i am using kernel's forwarding option. that's also to avoid
> > chances of errors from ettercap part. first you are supposed to clear
> > arp tables back to it's original and then disable forwarding.
> >
> > And most importantly, i am not asking anybody to use it. It's just to
> > let people know that arp spoofing is not so obscure and difficult.
> >
> > Thanks for comments anyways! I'll add some warning in the end.
> >
> > enjoy and chill! :)
> > ~manu
> >
> > On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > > You are wrong.
> > >
> > > I use    "hunt"   on a regular basis in my labs to do intercept and
> > > modify packets   i use it frequently. (hunt==ettercap but it is easier
> > > to to intercept and modify) I only use it in a well isolated test lab.
> > > Just bloody fill in the hook in arp_spoof.c (in hunt) and modify the
> > > packet, then recalculate the tcp/udp and ip checksum and you are ok.
> > > That is how i test NFS implementations for protocol specification
> > > compliance for corner case compliance.
> > >
> > > However, there IS a real world chance that people that do not
> > > understand what arp spoofing does, to cause a serious disruption of
> > > their network infrastructure!
> > >
> > > Do you know the ARP table timeout for the 10-15 most polular unix
> > > versions?  I do.
> > > When and why does solaris update its arp table?  on unsolicited
> > > requests/responses?   when does it? i know.   version  by version,
> > > patch by patch. its my job to know.
> > >
> > > fact is most people using arpspoofing have no clue of the consequences
> > > of it when they just -9 the tool    without first  reloading the
> > > arptables with the original entries  and thus cause outages.
> > >
> > > still, anyone doing it in a prod network is stupid.  they are. no
> > > question about it.
> > >
> > > look,   arpspoofing is potentially VERY disrupting to the network.  DO
> > > NOT, please, use it unless it is a non-business critical private
> > > network.
> > >
> > > ==>
> > > 1, unless you really really know what you are doing,   arpspoofing is stupid.
> > > 2, if you think you know what you are doing 99% probability says you
> > > are stupid and just wrong.
> > > 3, do you know the consequences of a failed arp spoof attempt in a
> > > real production environment?
> > > 4, do it on a business critical network and ...
> > > 5, DONT arpspoof unless it is your own play test network.
> > >
> > >
> > >
> > > On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > > > have you ever tried it? i don't think so.
> > > >
> > > > as i said earlier, you are not going to bring down the whole network
> > > > even if something goes wrong. only the communication between the
> > > > machines being attacked i.e. target machines  is going to be affected.
> > > >
> > > > I'll add a warning to the presentation: "this is not for the kids".
> > > > It's certainly not for the kids.
> > > >
> > > > ~manu
> > > >
> > > > On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > > > > start doing arp spoofing and kill ettercap or hunt with a -9  and
> > > > > watch the end-to-end outage that occurs and will last until the arp
> > > > > entry timeout (10-15 minutes).
> > > > >
> > > > > very very ugly.
> > > > >
> > > > > dont dont dont ever do this unless you know what you are doing.
> > > > > never ever ever ever do this in a business critical network, ever.
> > > > >
> > > > >
> > > > > On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > > > > > I don't believe that. Arp poisoning is not ugly. You can call MAC
> > > > > > flooding as ugly, but not ARP poisoning for sure.
> > > > > >
> > > > > > ARP poisoning does nothing to the switch. Switches work at level 2 and
> > > > > > are only concerned about MAC addresses.  They don't come to know that
> > > > > > MAC address of a certain IP address has changed.
> > > > > >
> > > > > > ARP poisoning can confuse only the involved hosts. If gateway is one
> > > > > > of those hosts and someone attempting to ARP poison is a kid, then
> > > > > > certainly there can be some problems.
> > > > > >
> > > > > > hth
> > > > > > ~manu
> > > > > >
> > > > > > On 6/16/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> > > > > > > Manu Garg wrote:
> > > > > > >
> > > > > > > >Many of us know that sniffing is possible in a shared i.e.
> > > > > > > >non-switched ethernet environment. But only few of us know that
> > > > > > > >sniffing is also possible in a switched ethernet environment. One of
> > > > > > > >the reasons is that it's not that straighforward. But it's not
> > > > > > > >impossible or difficult. You can use man in the middle technique like
> > > > > > > >ARP spoofing to sniff in a switched environment.
> > > > > > > >
> > > > > > > >
> > > > > > > >This presentation is an attempt to explain how can somebody sniff in a
> > > > > > > >switched ethernet using ARP spoofing. Dsniff has existed for long as a
> > > > > > > >tool for various sniffing activities. But recently, tools like
> > > > > > > >EttercapNG have made it easier.
> > > > > > > >
> > > > > > > >
> > > > > > > >Link to my original post and presentation -
> > > > > > > >http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html
> > > > > > > >
> > > > > > > >Presentation-
> > > > > > > >http://manugarg.freezope.org/notes/arp_spoofing
> > > > > > > >
> > > > > > > >Please let me know your views on it.
> > > > > > > >
> > > > > > > >
> > > > > > > Yes it is possible, but it is really ugly for it's various side effects.
> > > > > > >
> > > > > > > Have a look at the information on this topic so far at:
> > > > > > > http://wiki.ethereal.com/CaptureSetup_2fEthernet
> > > > > > >
> > > > > > > As the wiki page says:
> > > > > > >
> > > > > > > *Please do not try this on any LAN other than your own.*
> > > > > > >
> > > > > > > Regards, ULFL
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Manu Garg
> > > > > > http://manugarg.freezope.org
> > > > > > "Truth will set you free!"
> > > > > >
> > > > > > _______________________________________________
> > > > > > Ethereal-users mailing list
> > > > > > Ethereal-users@xxxxxxxxxxxx
> > > > > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Manu Garg
> > > > http://manugarg.freezope.org
> > > > "Truth will set you free!"
> > > >
> > >
> >
> >
> > --
> > Manu Garg
> > http://manugarg.freezope.org
> > "Truth will set you free!"
> >
> 


-- 
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"