Re: Sniffing on a switch

From: Volker Tanger (vtlists_at_wyae.de)
Date: 10/29/05

  • Next message: Chris Mills: "Re: Sniffing on a switch" 
    Date: Sat, 29 Oct 2005 12:48:21 +0200
To: pen-test@securityfocus.com

    Greetings!

    On Thu, 27 Oct 2005 19:55:04 -0700
    "Andy Meyers" <andy.meyers@hushmail.com> wrote:

    > Now i know people say you "cant" sniff on a switch and I know about
    > ARP poisoning and MAC flooding. But there has to be another way. I
    > have heard too many stories about "he sniffed my AIM conversation on a
    > Cisco switch" (an example is in the most recent version of 2600). Does
    > anyone know of any technique how to do this? Can you ARP poison a
    > switch?

    On many managable (enterprise) switches often have a sniffing/mirror
    port where you can configure from which switch port(s) you want all
    traffic to be mirrored to this mirror port.

    And yes, all unprotected switches can be subjected to ARP poisoning. But
    (again) many manageable switches can be configured with preventive
    measures:

    - static/manual MAC/port mapping

    - automatic one-time MAC/port config: the very first MAC/port
      combination seen is taken as semi-static entry, all others are dropped.

    - limiting number of MAC addresses per port allowed
      (which helps against rogue switches and router, too)

    For all you need the help of the switch admins. So no help if you want
    to guard yourself against "evil" switchmasters... ;-)

    Bye

    Volker 

    -- 
Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
  • Next message: Chris Mills: "Re: Sniffing on a switch"

    Relevant Pages

    • Re: Sniffing on a switch
      ... all unprotected switches can be subjected to ARP poisoning. ... Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. ... Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. ...
      (Pen-Test)
    • Re: Transport Mode IPSEC
      ... that an attacker can "sniff most switches" so I can have the ... you try attacking the switch with one of your fancy attacks to ... was a lot of this in early university campus dorm networks ... and try to steal passwords, ...
      (freebsd-questions)
    • Re: Testing Hubs and Switches
      ... > volunteers to test their hubs and switches for security venerabilities. ... Taranis relies on MAC spoofing to redirect network traffic. ... If you want a complete view of switches attacks, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
      (Pen-Test)
    • Re: ASA5510 - Vlan Routing
      ... the switch?, so for example ports 3,4 and 5 would be in VLAN 2 and VLAN ... if AT-8350GB supports 802.1Q VLANs. ... work in this scenario or would I need to purchase another 2x switches ... on switches there have been attacks that allowed packets to cross ...
      (comp.dcom.sys.cisco)