RE: [Full-Disclosure] Caching a sniffer

• Previous message: MARTIN M. Bénoni: "Root account desactivated"
• In reply to: Mike Fratto: "RE: [Full-Disclosure] Caching a sniffer"
• Reply: David Bartholomew: "RE: [Full-Disclosure] Caching a sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Mike Fratto <mfratto@nwc.com>
Date: Thu, 11 Mar 2004 11:01:19 -0700

On Thu, 2004-03-11 at 10:43, Mike Fratto wrote:

> Your assuming that the attacker 1) has control of the switch and 2) is
> sniffing either the uplink or has configured the switch to mirror all the
> switch ports or VLAN to the mirror port.
>
> Neither of which may be the case.

There are many people on this list who have more knowledge of this than
I do, but having control of the switch isn't the only way to sniff a
switched network. All you need is a way of spoofing ARP packets and you
can intercept all the traffic you want. Here's one such set of tools -
http://naughty.monkey.org/~dugsong/dsniff/

Kenton

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: MARTIN M. Bénoni: "Root account desactivated"
• In reply to: Mike Fratto: "RE: [Full-Disclosure] Caching a sniffer"
• Reply: David Bartholomew: "RE: [Full-Disclosure] Caching a sniffer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]