Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca
No one has actually come to the point, so let me be a little more
direct. Your presentation does not appear to be a simple informative
text. It reads more like a primer for script kiddies. You use language
designed to entice people to try this in several of the slides and imply
the behavior is "cool." As a legitimate network administrator at a
large company I find it offensive. I have seen several thoughtfully
written papers on the mechanics of arp spoofing, CAM table flooding and
other techniques which simply seek to convey information. Yours isn't
one of them.
I'll not argue with your right to "spread information" - but you have
posted this announcement to a list populated largely by serious
professionals who are using Ethereal to keep their networks running
smoothly. You should not be surprised at replies which imply that the
advice you give is irresponsible at best, and could land the "student"
in a LOT of trouble. Intentionally tinkering with the functioning of a
legitimate network in order to gain access to information to which you
are not entitled is wrong.
Manu Garg wrote:
On 6/17/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
no
arp spoofing is trivial
it has been done for at least 5+ years with easy to use tools. such as
hunt and more recent tools such as ettercap and friends.
i think dsniff was most widely used tool some time ago and probably
still is. but i think, there is more scope for human error in case of
dsniff.
it is still dangerous.
arpspoof A<->B and -9 ettercap or whatever and it might take 10-15
minutes before A may communicate with B again.
exactly what i am saying. even if somebody does kill -9, only
communication between A and B will suffer. and it may take that long
only on solaris.
As for solaris, though 826 says a host SHOULD use all info to keep
all info up to date,
solaris does not track both requests and responses. solaris will only
use one of those types to keep the arp table uptodate and ignore the
rest. which ones?
Solaris is also peculiar in that once it has entered/modified an arp
entry it will disregard any conflicting arp traffic for X number or ms
regardless of whether it triews to change the netry or not.
Question: what does solaris do just prior to timing out an arp entry?
a, nothing
b, something unicast
c somthing broadcast
answer is b.
nobody is supposed to do kill -9. unix is not for fools, you know
that. what if somebody does 'rm -rf /' ;-)
DON'T DO IT!!
On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
Tell me, how can it affect the whole network until unless you are
doing something so stupid as telling all the machines on the network
that you are the gateway and you run away.
did you read the presentation? there is a mention of solaris systems.
I have mentioned that solaris doesn't update it's arp table so easily.
but, good thing about ettercap is that it handles most of the things.
in the presentation -- i am also not depending on ettercap to forward
packets. i am using kernel's forwarding option. that's also to avoid
chances of errors from ettercap part. first you are supposed to clear
arp tables back to it's original and then disable forwarding.
And most importantly, i am not asking anybody to use it. It's just to
let people know that arp spoofing is not so obscure and difficult.
Thanks for comments anyways! I'll add some warning in the end.
enjoy and chill! :)
~manu
On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
You are wrong.
I use "hunt" on a regular basis in my labs to do intercept and
modify packets i use it frequently. (hunt==ettercap but it is easier
to to intercept and modify) I only use it in a well isolated test lab.
Just bloody fill in the hook in arp_spoof.c (in hunt) and modify the
packet, then recalculate the tcp/udp and ip checksum and you are ok.
That is how i test NFS implementations for protocol specification
compliance for corner case compliance.
However, there IS a real world chance that people that do not
understand what arp spoofing does, to cause a serious disruption of
their network infrastructure!
Do you know the ARP table timeout for the 10-15 most polular unix
versions? I do.
When and why does solaris update its arp table? on unsolicited
requests/responses? when does it? i know. version by version,
patch by patch. its my job to know.
fact is most people using arpspoofing have no clue of the consequences
of it when they just -9 the tool without first reloading the
arptables with the original entries and thus cause outages.
still, anyone doing it in a prod network is stupid. they are. no
question about it.
look, arpspoofing is potentially VERY disrupting to the network. DO
NOT, please, use it unless it is a non-business critical private
network.
==>
1, unless you really really know what you are doing, arpspoofing is stupid.
2, if you think you know what you are doing 99% probability says you
are stupid and just wrong.
3, do you know the consequences of a failed arp spoof attempt in a
real production environment?
4, do it on a business critical network and ...
5, DONT arpspoof unless it is your own play test network.
On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
have you ever tried it? i don't think so.
as i said earlier, you are not going to bring down the whole network
even if something goes wrong. only the communication between the
machines being attacked i.e. target machines is going to be affected.
I'll add a warning to the presentation: "this is not for the kids".
It's certainly not for the kids.
~manu
On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
start doing arp spoofing and kill ettercap or hunt with a -9 and
watch the end-to-end outage that occurs and will last until the arp
entry timeout (10-15 minutes).
very very ugly.
dont dont dont ever do this unless you know what you are doing.
never ever ever ever do this in a business critical network, ever.
On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
I don't believe that. Arp poisoning is not ugly. You can call MAC
flooding as ugly, but not ARP poisoning for sure.
ARP poisoning does nothing to the switch. Switches work at level 2 and
are only concerned about MAC addresses. They don't come to know that
MAC address of a certain IP address has changed.
ARP poisoning can confuse only the involved hosts. If gateway is one
of those hosts and someone attempting to ARP poison is a kid, then
certainly there can be some problems.
hth
~manu
On 6/16/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
Manu Garg wrote:
Many of us know that sniffing is possible in a shared i.e.
non-switched ethernet environment. But only few of us know that
sniffing is also possible in a switched ethernet environment. One of
the reasons is that it's not that straighforward. But it's not
impossible or difficult. You can use man in the middle technique like
ARP spoofing to sniff in a switched environment.
This presentation is an attempt to explain how can somebody sniff in a
switched ethernet using ARP spoofing. Dsniff has existed for long as a
tool for various sniffing activities. But recently, tools like
EttercapNG have made it easier.
Link to my original post and presentation -
http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html
Presentation-
http://manugarg.freezope.org/notes/arp_spoofing
Please let me know your views on it.
Yes it is possible, but it is really ugly for it's various side effects.
Have a look at the information on this topic so far at:
http://wiki.ethereal.com/CaptureSetup_2fEthernet
As the wiki page says:
*Please do not try this on any LAN other than your own.*
Regards, ULFL
--
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
--
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"
--
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"