Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Manu Garg <manugarg@xxxxxxxxx>
Date: Fri, 17 Jun 2005 08:42:08 -0400
It's not just an information about arp spoofing or mac flooding. It's
a recipe to do that. And yes I think, it's cool. Isn't it?

Being a "legitimate" network administrator, you should have a
mechanism in place to detect arp spoofing. that's what i expect
network administrators to learn from any document on arp sppofing. you
cannot just call it "wrong". it won't help you.

but, kind of replies I am getting here certainly make me think that
this is not the right list.

~manu
On 6/17/05, James <jvfields@xxxxxxx> wrote:
> No one has actually come to the point, so let me be a little more
> direct.  Your presentation does not appear to be a simple informative
> text. It reads more like a primer for script kiddies.  You use language
> designed to entice people to try this in several of the slides and imply
> the behavior is "cool."  As a legitimate network administrator at a
> large company I find it offensive.  I have seen several thoughtfully
> written papers on the mechanics of arp spoofing, CAM table flooding and
> other techniques which simply seek to convey information.  Yours isn't
> one of them.
> 
> I'll not argue with your right to "spread information" - but you have
> posted this announcement to a list populated largely by serious
> professionals who are using Ethereal to keep their networks running
> smoothly.  You should not be surprised at replies which imply that the
> advice you give is irresponsible at best, and could land the "student"
> in a LOT of trouble.  Intentionally tinkering with the functioning of a
> legitimate network in order to gain access to information to which you
> are not entitled is wrong.
> 
> Manu Garg wrote:
> 
> >On 6/17/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> >
> >
> >>no
> >>
> >>
> >>arp spoofing is trivial
> >>it has been done for at least 5+ years with easy to use tools. such as
> >>hunt and more recent tools such as ettercap and friends.
> >>
> >>
> >
> >i think dsniff was most widely used tool some time ago and probably
> >still is. but i think, there is more scope for human error in case of
> >dsniff.
> >
> >
> >
> >>it is still dangerous.
> >>arpspoof A<->B and -9   ettercap or whatever and it might take 10-15
> >>minutes before A may communicate with B again.
> >>
> >>
> >>
> >
> >exactly what i am saying. even if somebody does kill -9, only
> >communication between A and B will suffer. and it may take that long
> >only on solaris.
> >
> >
> >
> >>As for solaris,    though 826 says a host SHOULD use all info to keep
> >>all info up to date,
> >>solaris does not track both requests and responses. solaris will only
> >>use one of those types to keep the arp table uptodate and ignore the
> >>rest. which ones?
> >>
> >>Solaris is also peculiar in that once it has entered/modified an arp
> >>entry it will disregard any conflicting arp traffic for X number or ms
> >>  regardless of whether it triews to change the netry or not.
> >>
> >>
> >>Question:   what does solaris do just prior to timing out an arp entry?
> >>a, nothing
> >>b, something unicast
> >>c somthing broadcast
> >>
> >>answer is b.
> >>
> >>
> >
> >nobody is supposed to do kill -9. unix is not for fools, you know
> >that. what if somebody does 'rm -rf /' ;-)
> >
> >DON'T DO IT!!
> >
> >
> >
> >>On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> >>
> >>
> >>>Tell me, how can it affect the whole network until unless you are
> >>>doing something so stupid as telling all the machines on the network
> >>>that you are the gateway and you run away.
> >>>
> >>>did you read the presentation? there is a mention of solaris systems.
> >>>I have mentioned that solaris doesn't update it's arp table so easily.
> >>>but, good thing about ettercap is that it handles most of the things.
> >>>
> >>>in the presentation -- i am also not depending on ettercap to forward
> >>>packets. i am using kernel's forwarding option. that's also to avoid
> >>>chances of errors from ettercap part. first you are supposed to clear
> >>>arp tables back to it's original and then disable forwarding.
> >>>
> >>>And most importantly, i am not asking anybody to use it. It's just to
> >>>let people know that arp spoofing is not so obscure and difficult.
> >>>
> >>>Thanks for comments anyways! I'll add some warning in the end.
> >>>
> >>>enjoy and chill! :)
> >>>~manu
> >>>
> >>>On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> >>>
> >>>
> >>>>You are wrong.
> >>>>
> >>>>I use    "hunt"   on a regular basis in my labs to do intercept and
> >>>>modify packets   i use it frequently. (hunt==ettercap but it is easier
> >>>>to to intercept and modify) I only use it in a well isolated test lab.
> >>>>Just bloody fill in the hook in arp_spoof.c (in hunt) and modify the
> >>>>packet, then recalculate the tcp/udp and ip checksum and you are ok.
> >>>>That is how i test NFS implementations for protocol specification
> >>>>compliance for corner case compliance.
> >>>>
> >>>>However, there IS a real world chance that people that do not
> >>>>understand what arp spoofing does, to cause a serious disruption of
> >>>>their network infrastructure!
> >>>>
> >>>>Do you know the ARP table timeout for the 10-15 most polular unix
> >>>>versions?  I do.
> >>>>When and why does solaris update its arp table?  on unsolicited
> >>>>requests/responses?   when does it? i know.   version  by version,
> >>>>patch by patch. its my job to know.
> >>>>
> >>>>fact is most people using arpspoofing have no clue of the consequences
> >>>>of it when they just -9 the tool    without first  reloading the
> >>>>arptables with the original entries  and thus cause outages.
> >>>>
> >>>>still, anyone doing it in a prod network is stupid.  they are. no
> >>>>question about it.
> >>>>
> >>>>look,   arpspoofing is potentially VERY disrupting to the network.  DO
> >>>>NOT, please, use it unless it is a non-business critical private
> >>>>network.
> >>>>
> >>>>==>
> >>>>1, unless you really really know what you are doing,   arpspoofing is stupid.
> >>>>2, if you think you know what you are doing 99% probability says you
> >>>>are stupid and just wrong.
> >>>>3, do you know the consequences of a failed arp spoof attempt in a
> >>>>real production environment?
> >>>>4, do it on a business critical network and ...
> >>>>5, DONT arpspoof unless it is your own play test network.
> >>>>
> >>>>
> >>>>
> >>>>On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> >>>>
> >>>>
> >>>>>have you ever tried it? i don't think so.
> >>>>>
> >>>>>as i said earlier, you are not going to bring down the whole network
> >>>>>even if something goes wrong. only the communication between the
> >>>>>machines being attacked i.e. target machines  is going to be affected.
> >>>>>
> >>>>>I'll add a warning to the presentation: "this is not for the kids".
> >>>>>It's certainly not for the kids.
> >>>>>
> >>>>>~manu
> >>>>>
> >>>>>On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> >>>>>
> >>>>>
> >>>>>>start doing arp spoofing and kill ettercap or hunt with a -9  and
> >>>>>>watch the end-to-end outage that occurs and will last until the arp
> >>>>>>entry timeout (10-15 minutes).
> >>>>>>
> >>>>>>very very ugly.
> >>>>>>
> >>>>>>dont dont dont ever do this unless you know what you are doing.
> >>>>>>never ever ever ever do this in a business critical network, ever.
> >>>>>>
> >>>>>>
> >>>>>>On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> >>>>>>
> >>>>>>
> >>>>>>>I don't believe that. Arp poisoning is not ugly. You can call MAC
> >>>>>>>flooding as ugly, but not ARP poisoning for sure.
> >>>>>>>
> >>>>>>>ARP poisoning does nothing to the switch. Switches work at level 2 and
> >>>>>>>are only concerned about MAC addresses.  They don't come to know that
> >>>>>>>MAC address of a certain IP address has changed.
> >>>>>>>
> >>>>>>>ARP poisoning can confuse only the involved hosts. If gateway is one
> >>>>>>>of those hosts and someone attempting to ARP poison is a kid, then
> >>>>>>>certainly there can be some problems.
> >>>>>>>
> >>>>>>>hth
> >>>>>>>~manu
> >>>>>>>
> >>>>>>>On 6/16/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>>Manu Garg wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>Many of us know that sniffing is possible in a shared i.e.
> >>>>>>>>>non-switched ethernet environment. But only few of us know that
> >>>>>>>>>sniffing is also possible in a switched ethernet environment. One of
> >>>>>>>>>the reasons is that it's not that straighforward. But it's not
> >>>>>>>>>impossible or difficult. You can use man in the middle technique like
> >>>>>>>>>ARP spoofing to sniff in a switched environment.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>This presentation is an attempt to explain how can somebody sniff in a
> >>>>>>>>>switched ethernet using ARP spoofing. Dsniff has existed for long as a
> >>>>>>>>>tool for various sniffing activities. But recently, tools like
> >>>>>>>>>EttercapNG have made it easier.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>Link to my original post and presentation -
> >>>>>>>>>http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html
> >>>>>>>>>
> >>>>>>>>>Presentation-
> >>>>>>>>>http://manugarg.freezope.org/notes/arp_spoofing
> >>>>>>>>>
> >>>>>>>>>Please let me know your views on it.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>Yes it is possible, but it is really ugly for it's various side effects.
> >>>>>>>>
> >>>>>>>>Have a look at the information on this topic so far at:
> >>>>>>>>http://wiki.ethereal.com/CaptureSetup_2fEthernet
> >>>>>>>>
> >>>>>>>>As the wiki page says:
> >>>>>>>>
> >>>>>>>>*Please do not try this on any LAN other than your own.*
> >>>>>>>>
> >>>>>>>>Regards, ULFL
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>--
> >>>>>>>Manu Garg
> >>>>>>>http://manugarg.freezope.org
> >>>>>>>"Truth will set you free!"
> >>>>>>>
> >>>>>>>_______________________________________________
> >>>>>>>Ethereal-users mailing list
> >>>>>>>Ethereal-users@xxxxxxxxxxxx
> >>>>>>>http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>--
> >>>>>Manu Garg
> >>>>>http://manugarg.freezope.org
> >>>>>"Truth will set you free!"
> >>>>>
> >>>>>
> >>>>>
> >>>--
> >>>Manu Garg
> >>>http://manugarg.freezope.org
> >>>"Truth will set you free!"
> >>>
> >>>
> >>>
> >
> >
> >
> >
> 
> 
> 


-- 
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"