AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18

From: Meidinger Christopher (christopher.meidinger_at_badenIT.de)
Date: 06/26/03

  • Next message: Patrick Boucher: "Re: Oh Dear, Where to start?!" 
    To: "'David Wallraff'" <wall0448@ece.umn.edu>
Date: Thu, 26 Jun 2003 10:09:03 +0100

    Hi Dave,

    google can probably give you a more complete answer, but the gist of it is
    this:

    An (old school) non-switched network worked on the star principle. Every
    packet is delivered everywhere in a subnet and each machine grabs the
    packets that are for it. Thus, promiscuous mode is what tells a network
    interface to not just grab the packets that are intended for that maching,
    but to grab everything. You can test this on a hub, just put 4 machines on a
    hub, make them talk a bit, and sniff with one of them. You will see that
    they all can see the communications intended for each other machine on that
    segment.

    A modern switched network directs the packets so that each switch only
    delivers the packets to each machine that are intended for that specific
    machine. That means that if i sniff on an interface connected to a switch, i
    only see packets intended for my machine, and any broadcasts on my segment.
    (Routers should [almost] never forward broadcasts.) Test this by sniffing on
    any switch, and you will only get your own traffic and broadcasts.
    Broadcasts look like packets addressed to either ff.ff.ff.ff.ff.ff or
    SUB.NET.255.255 (depending where you are you may see multicasts to 224.x.x.x
    addresses as well but that is out of the scope of this answer.)

    NOW, you ask yourself how can i sniff on a switched network if all i get is
    stuff for me?

    The answer is, you have to lie to the other machines telling them that you
    are either their gateway, or that you are the machines that they want to
    talk to. The technical details are out of the scope of this paper, but you
    essentially get messages destined for other IP addresses delivered to your
    MAC address and then send them yourself to the the real MAC address that
    belongs to dst host after keeping a copy of the packet for yourself. This
    takes a certain amount of skill (though not that much with automated tools,
    see below) to do, but it is not beyond a novice.

    So that is why it is harder. Now for the portion of the question you forgot
    to ask: can i try this at home? Will anything bad happen if i do?

    Sure, get a copy of dsniff (www.monkey.org/TILDEdugsong/dsniff.html --
    replace the TILDE with a tilde symbol, my keyboard is busted and i can't
    type it ATM) or a copy of ettercap (i think its on sourceforge, do a google
    search -- try www.google.com/linux) read the manuals and start them up
    sniffing.

    Yes, you should do this in a test network. This kind of activity is fairly
    easy for an Intrusion Detection System to pick up, assuming it has a sensor
    on the local segment. So you can get in trouble with your network admins.
    There is no explanation for the network traffic this will create except
    hacking / security testing. Also, if you make a mistake, you can easily put
    your entire network segment out of commission (imaginge you claim to be the
    gateway, and then forward the traffic to /dev/null instead of to the real
    gateway) with a small mistake, which will most likely get you kicked of the
    network.

    DISCLAIMER: This is an (exaustive) answer to the question asked, not a guide
    on how to sniff on switched networks. Before you do anything read all the
    man pages and howtos you can and be sure that you know what you are doing.
    If your network admin comes into your office with a shotgun in his hands and
    death in his eyes, you alone are responsible.

    If i was wrong on any technical point please email me and the list with
    corrections.

    badenIT GmbH
    System Support Workstation
     
    Chris Meidinger
    Tullastrasse 70
    79108 Freiburg

    -----Ursprüngliche Nachricht-----
    Von: David Wallraff [mailto:wall0448@ece.umn.edu]
    Gesendet: Wednesday, June 25, 2003 5:33 PM
    An: Meidinger Christopher
    Cc: 'Hilal Hussein'; Security-Basics@Securityfocus. Com (E-Mail)
    Betreff: Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue
    618

    why is it harder to sniff over a switced network? i understand it's
    becasue of the switch (natch), but what makes it more difficult?
    dave

    On Wed, 25 Jun 2003, Meidinger Christopher wrote:

    > Hello Hilal,
    >
    > Yes, there are many tools that will do that. dsniff, ettercap, ethereal
    and
    > MANY others will read your password as it goes by on the wire. It is
    > slightly more difficult on a switched network, but it can still be done.
    >
    > You should not use telnet at all, use ssh (www.openssh.org) instead. The
    > windows client PuTTY is the most common choice to connect over ssh from
    > windows. As far as starting an ssh server on the firewall, you should be
    > able to do that in the same way that you started the telnet server.
    >
    > If you need more exact help, post to the list what type of firewall you
    are
    > using, and i am certain someone will help you get started.
    >
    > (Disclaimer: based on your question, you should [IMHO] definately read up
    a
    > bit on security before configuring a firewall)
    >
    > badenIT GmbH
    > System Support
    >
    > Chris Meidinger
    > Tullastrasse 70
    > 79108 Freiburg
    >
    >
    > -----Ursprüngliche Nachricht-----
    > Von: Hilal Hussein [mailto:hilalma@hotmail.com]
    > Gesendet: Tuesday, June 24, 2003 10:08 AM
    > An: bugtraq@planetcobalt.net; security-basics@securityfocus.com
    > Betreff: Re: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618
    >
    >
    >
    >
    > Hello All,
    >
    > i am not sure if i am asking the right question within the same
    subject,but
    > i am configuring the firewall throught the telnet connecting / from winxp
    > workstation.
    >
    > Is there any possibility for any internal user to use any tools that will
    > haijack my telnet password - password for the firewall too!, and what are
    > the measurements for securing the telnet session.
    >
    > with regards,
    > Hilal Hussein
    >
    > _________________________________________________________________
    > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    > http://join.msn.com/?page=features/junkmail
    >
    >
    >
    ---------------------------------------------------------------------------
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure remote access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >
    ----------------------------------------------------------------------------
    >
    >
    ---------------------------------------------------------------------------
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure remote access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >
    ----------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

  • Next message: Patrick Boucher: "Re: Oh Dear, Where to start?!"

    Relevant Pages

    • RE: Wirless LAN
      ... of who is using my network, ... > The Gartner Group just put Neoteris in the top of its Magic ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • Re: Check for Confidential Content
      ... NetIntelligence from Iomart is a security ... like sensitive documents or unlicensed software accross your network. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • Re: AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18
      ... > An non-switched network worked on the star principle. ... > packets that are for it. ... you ask yourself how can i sniff on a switched network if all i get is ... >> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: Monitoring the network: Routers
      ... The Network Performance Monitor within the Engineers Edition has a big brother ... Optrics Engineering - Ipswitch Premier Partners & Network Specialists ... The Gartner Group just put Neoteris in the top of its Magic ... about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • Re: Broadband usage statistics
      ... network utilization compared to bandwidth size... ... > users regularly max-out their connection so I know ... > Evaluating SSL VPNs' Consider NEOTERIS, ...
      (Security-Basics)