Re: Sniffing Internet Traffic

From: Paul Neiberman (pneiber101@hotmail.com)
Date: 06/20/02

• Previous message: owentoby@WellsFargo.COM: "RE: Remote control"
• Maybe in reply to: Dan Williamson: "Sniffing Internet Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Paul Neiberman" <pneiber101@hotmail.com>
To: security-basics@lists.securityfocus.com
Date: Thu, 20 Jun 2002 17:51:14 +0000

Greetz,
(just thought i should add this to the thread)
There is this excellent article by Dexter Lindstorm elaborating
(links/diagrams provided )on sniffing/("upgrading bandwidth attempts") on
cable network architectures which sheds some light as to why you couldnīt
see anything (besides your own traffic) along with some possible windows of
opportunity for 'exploiting' this architecture:
http://rr.sans.org/homeoffice/sniffing.php

.

>
>On Sat, Jun 15, 2002 at 10:53:41AM -0400, David Lagani?re wrote:
> > and I couldn't see anything.. probably for the same reason.. some kind
>of
> > switched network. But I'm not a network guru.. so I might be wrong :)
>
>if it's a simple switched network, ARP attacks will usually do the
>trick, as most admins won't bind a MAC to each port of a switch (at
>least on ethernet) as this is really burdensome and a logistics
>nightmare, because every time a machine moves they have to re-bind that
>NIC's MAC to the new port so it can pass traffic. It is, however, great
>for security because MITM ARP attacks are futile as the switch already
>knows what MAC is on what physical port.
>
>I don't know a whole lot about cable modems, but my guess is that, like
>a DSL line, traffic routed down your line is a function of a hardware ID
>or circuit ID bound to the cable modem itself.
>
>does anyone have in-depth knowledge of cable that can touch on this?
>

_________________________________________________________________
Verzend en ontvang Hotmail via je mobieltje: http://mobile.msn.com

---

• Previous message: owentoby@WellsFargo.COM: "RE: Remote control"
• Maybe in reply to: Dan Williamson: "Sniffing Internet Traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Exploit code for IP Smart Spoofing ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ... (Bugtraq) RE: mac duplication ... Another solution you could use depends on your switch. ... that allow you to do port mirroring. ... IP address map to MAC addresses via router tables. ... How do i set up mac duplication ... (Vuln-Dev) Re: Ethernet switch flooding packets? ... course) so will have it's own MAC address. ... other VLANs there are are or how many hosts each has. ... was merely using the Ethernet switching terminology - if a switch ... doesn't know which individual port to push a frame out to, ... (comp.dcom.lans.ethernet) Re: Network scanning ... that works with a radius server to auth mac address at port ... level before the switch will enable that port... ... new MAC and disable the port. ... (Security-Basics) Re: Sniffing Internet Traffic ... if it's a simple switched network, ARP attacks will usually do the ... NIC's MAC to the new port so it can pass traffic. ... I don't know a whole lot about cable modems, but my guess is that, like ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)