Re: [Full-disclosure] Packet sniffing help needed



On Tue, Dec 06, 2005 at 05:41:05PM +0000, Mark Knowles wrote:
> Thanks!
>
> I really appreciate the help. I have found a new interest. no more
> ASM for a month or 2
>
> So those warning are "boiling water is hot!" - there is nothing i can
> do about it - Its similar to the cash machines here now that have
> stickers on them saying people can read you pin number always conceal
> it when you type it in)

Well, there *are* some things you can do. The most realistic is probably
using HTTPS for all web traffic that is sensitive, never reading mail
over an unencrypted link, and trying very hard to send all mail over an
encrypted link (this is much harder, though).

Also, things like tor will make connecting the source and endpoint
address infeasible (!= impossible).

> Still good to know. After thinking about this a bit more then it
> really does appear to be the wiretap thing - i suppose i never thought
> of wire taps like that, where the CIA/FBI compromise the telephone
> exchange - albeit with permission.
>
> When you say manipulating the routing tables, this doesn't mean too
> much to me (unless you are talking about DNS poisoning - although i
> suspect its more) could you please send me some links to read up on.
> I know what routing table are, but that's about it :)

I don't know too much about it, myself, as I never owned a network large
enough to need a routing table to speak of.

But I've read that some Border Gateway Protocol (BGP) implementations
can/could be persuaded to accept spoofed routes; if 1.2.0.0/16 was in
their table, they would accept a 'more specific' 1.2.3.0/24 route, which
could be used to route all traffic to 1.2.3.0/24 via your router of
choice.

(BGP is used to keep 'external' routes usable; it's mostly used to make
sure that if some network goes down, other routers immediately
reconfigure their routing tables to route all traffic around the
now-failed router, thus making sure that outages stay limited - so that
some ISP going down will not mean you, on a very different ISP, suddenly
cannot contact any sites in Malaysia...)

> I know this is basic, but here is another ascii diagram
>
> C1 - CR1 -=-=-=-=-= CR3 - C3
> C2 --¦ --¦
>
> C1 - Victim user
> CR1 - Victim Router1
> C3 - Site
> CR3 - Site Router
>
> -=-= Ethernet 'aether' and hosts.
>
> C2 - Attacker
>
> CR3 would seem to be the target. so trace to the last ip then try to
> compromise that.. would seem to be the logical explanation. I suppose
> an alternative would be to map the network behind the router and go
> for one of those machines then arp poison the router

Yes, if you want to get CR3 traffic this would be the most logical way.

Also, be aware that ARP poisoning is not undefeatable - static ARP
entries will take care of it just fine.

> attempting to get anything but 1 or 2 hops from the target site
> (assuming that i don't know the victims ip) is best i can hope for to
> capture all traffic. anything in the -=- area might be worth it but
> cannot guarantee success, and would need good log parsers/regex
> strings.

Indeed.

> Is this a valid scenario? I think I'm on the right track now and I'm
> gonna have some fun tonight - bloody hell, I'm getting excited by
> trying this out ... time to sack the bird, she is getting too
> expensive anyway... ;)

Yes, it *is* a valid way of attack. Just decidedly nontrivial, as most
core routing infrastructure has been subjected to attacks before, and is
still going strong...

Joachim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Second ISP
    ... make sure that the second ISP router does not have a better default ... All of this can be done with show ip route ... Does this require a routing ... but I would recommend a routing protocol. ...
    (comp.dcom.sys.cisco)
  • Re: Routing Problem on OpenServer 5.0.6
    ... > I have one big problem with routing. ... > OSR506A route table: ... server to the network 129.12.130.0. ... router at 192.168.10.254 and need know nothing more about the route it takes. ...
    (comp.unix.sco.misc)
  • Re: Win2k3 LAN Routing Questions
    ... all you need to do is enable IP routing on the router. ... If there was no other network involved, you simply make the router the ... pretty straight forward as long as you can add a route to your NAT router. ... This is important because this router needs to know where your new subnet is ...
    (microsoft.public.windows.server.networking)
  • Re: Static route via address, not interface
    ... >> and then add network route via router ... configuration (I have 172.22.2.0/24 segment attached with router ... Routing tables ... packets transmitted, 1 packets received, 0% packet loss ...
    (freebsd-net)
  • Re: Valid Routing Query
    ... The route you describe for a journey from Woking to Slough route ... Exeter, Bristol or Swindon would be much higher than the cost of your ... however based on the online routing ... other maps to allow a complete tracing. ...
    (uk.railway)