Re: AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18

• Previous message: Mitch Pirtle: "Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618"
• In reply to: Meidinger Christopher: "AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 26 Jun 2003 13:26:06 -0500 (CDT)
To: Meidinger Christopher <christopher.meidinger@badenIT.de>

thanks to all who replyed and helped out. i suspected as much, but it's
always good to get a second opinion.
dave

On Thu, 26 Jun 2003, Meidinger Christopher wrote:

> Hi Dave,
>
> google can probably give you a more complete answer, but the gist of it is
> this:
>
> An (old school) non-switched network worked on the star principle. Every
> packet is delivered everywhere in a subnet and each machine grabs the
> packets that are for it. Thus, promiscuous mode is what tells a network
> interface to not just grab the packets that are intended for that maching,
> but to grab everything. You can test this on a hub, just put 4 machines on a
> hub, make them talk a bit, and sniff with one of them. You will see that
> they all can see the communications intended for each other machine on that
> segment.
>
> A modern switched network directs the packets so that each switch only
> delivers the packets to each machine that are intended for that specific
> machine. That means that if i sniff on an interface connected to a switch, i
> only see packets intended for my machine, and any broadcasts on my segment.
> (Routers should [almost] never forward broadcasts.) Test this by sniffing on
> any switch, and you will only get your own traffic and broadcasts.
> Broadcasts look like packets addressed to either ff.ff.ff.ff.ff.ff or
> SUB.NET.255.255 (depending where you are you may see multicasts to 224.x.x.x
> addresses as well but that is out of the scope of this answer.)
>
> NOW, you ask yourself how can i sniff on a switched network if all i get is
> stuff for me?
>
> The answer is, you have to lie to the other machines telling them that you
> are either their gateway, or that you are the machines that they want to
> talk to. The technical details are out of the scope of this paper, but you
> essentially get messages destined for other IP addresses delivered to your
> MAC address and then send them yourself to the the real MAC address that
> belongs to dst host after keeping a copy of the packet for yourself. This
> takes a certain amount of skill (though not that much with automated tools,
> see below) to do, but it is not beyond a novice.
>
> So that is why it is harder. Now for the portion of the question you forgot
> to ask: can i try this at home? Will anything bad happen if i do?
>
> Sure, get a copy of dsniff (www.monkey.org/TILDEdugsong/dsniff.html --
> replace the TILDE with a tilde symbol, my keyboard is busted and i can't
> type it ATM) or a copy of ettercap (i think its on sourceforge, do a google
> search -- try www.google.com/linux) read the manuals and start them up
> sniffing.
>
> Yes, you should do this in a test network. This kind of activity is fairly
> easy for an Intrusion Detection System to pick up, assuming it has a sensor
> on the local segment. So you can get in trouble with your network admins.
> There is no explanation for the network traffic this will create except
> hacking / security testing. Also, if you make a mistake, you can easily put
> your entire network segment out of commission (imaginge you claim to be the
> gateway, and then forward the traffic to /dev/null instead of to the real
> gateway) with a small mistake, which will most likely get you kicked of the
> network.
>
> DISCLAIMER: This is an (exaustive) answer to the question asked, not a guide
> on how to sniff on switched networks. Before you do anything read all the
> man pages and howtos you can and be sure that you know what you are doing.
> If your network admin comes into your office with a shotgun in his hands and
> death in his eyes, you alone are responsible.
>
> If i was wrong on any technical point please email me and the list with
> corrections.
>
> badenIT GmbH
> System Support Workstation
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg
>
>
> -----Ursprüngliche Nachricht-----
> Von: David Wallraff [mailto:wall0448@ece.umn.edu]
> Gesendet: Wednesday, June 25, 2003 5:33 PM
> An: Meidinger Christopher
> Cc: 'Hilal Hussein'; Security-Basics@Securityfocus. Com (E-Mail)
> Betreff: Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue
> 618
>
>
> why is it harder to sniff over a switced network? i understand it's
> becasue of the switch (natch), but what makes it more difficult?
> dave
>
>
>
> On Wed, 25 Jun 2003, Meidinger Christopher wrote:
>
> > Hello Hilal,
> >
> > Yes, there are many tools that will do that. dsniff, ettercap, ethereal
> and
> > MANY others will read your password as it goes by on the wire. It is
> > slightly more difficult on a switched network, but it can still be done.
> >
> > You should not use telnet at all, use ssh (www.openssh.org) instead. The
> > windows client PuTTY is the most common choice to connect over ssh from
> > windows. As far as starting an ssh server on the firewall, you should be
> > able to do that in the same way that you started the telnet server.
> >
> > If you need more exact help, post to the list what type of firewall you
> are
> > using, and i am certain someone will help you get started.
> >
> > (Disclaimer: based on your question, you should [IMHO] definately read up
> a
> > bit on security before configuring a firewall)
> >
> > badenIT GmbH
> > System Support
> >
> > Chris Meidinger
> > Tullastrasse 70
> > 79108 Freiburg
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Hilal Hussein [mailto:hilalma@hotmail.com]
> > Gesendet: Tuesday, June 24, 2003 10:08 AM
> > An: bugtraq@planetcobalt.net; security-basics@securityfocus.com
> > Betreff: Re: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618
> >
> >
> >
> >
> > Hello All,
> >
> > i am not sure if i am asking the right question within the same
> subject,but
> > i am configuring the firewall throught the telnet connecting / from winxp
> > workstation.
> >
> > Is there any possibility for any internal user to use any tools that will
> > haijack my telnet password - password for the firewall too!, and what are
> > the measurements for securing the telnet session.
> >
> > with regards,
> > Hilal Hussein
> >
> > _________________________________________________________________
> > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
> >
> >
> ---------------------------------------------------------------------------
> > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > while InStat has confirmed Neoteris as the leader in marketshare.
> >
> > Find out why, and see how you can get plug-n-play secure remote access in
> > about an hour, with no client, server changes, or ongoing maintenance.
> >
> > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> >
> ----------------------------------------------------------------------------
> >
> >
> ---------------------------------------------------------------------------
> > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > while InStat has confirmed Neoteris as the leader in marketshare.
> >
> > Find out why, and see how you can get plug-n-play secure remote access in
> > about an hour, with no client, server changes, or ongoing maintenance.
> >
> > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> >
> ----------------------------------------------------------------------------
> >
> >
>

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: Mitch Pirtle: "Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618"
• In reply to: Meidinger Christopher: "AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]