RE: Caching a sniffer

From: Paul Blackstone (paul_at_4-sc.net)
Date: 03/25/04

  • Next message: Michael Rundell: "Re: Need help on Spyware"
    To: "'Andrew Shore'" <andrew.shore@holistecs.com>, "'Shawn Jackson'" <sjackson@horizonusa.com>, "'Patrick Toomey'" <ptoomey3@mac.com>
    Date: Thu, 25 Mar 2004 14:19:06 -0500
    
    

    Or unless the person uses something like D-Sniff or one of the other similar
    tools. ;)

    Paul

    -----Original Message-----
    From: Andrew Shore [mailto:andrew.shore@holistecs.com]
    Sent: Thursday, March 25, 2004 4:15 AM
    To: Shawn Jackson; Patrick Toomey
    Cc: security-basics@securityfocus.com; ksaenz@spinaweb.com.au;
    gillettdavid@fhda.edu
    Subject: RE: Caching a sniffer

    A switch is not a hub/router. In fact it is a micro segmented bridge.

    A switch operates at layer 2 of the OSI model ie MAC address layer.

    If a device is plugged into a switch port it will only see traffic sent
    to it (and broadcasts) it will not be able to see all the traffic on the
    network, ie between other PCs and the servers.

    Span ports (or mirror ports) are a debugging tool which can be enabled
    on switches to allow engineers to look at what traffic is on a given
    vlan or other port.

    Therefore if someone has plugged a scanner into a network point they
    will not be able to sniff any useful information from the network unless
    that person has admin access to the switch. You can check this by
    ensuring that none of the ports on the switches are in span mode

     
    Andrew Shore CISSP CCNP MCSE RHCE CCSE
    Senior Security Specialist
    DDI. 01302 308 165
    andrew.shore@holistecs.com
     
     
     
    Company Number 04943010
    VAT Number 828 8635 82
     
     
    Holistic Technologies Ltd
    Unit 7 Shaw Wood Business Park
    Shaw Wood Way
    Doncaster
    South Yorkshire
    DN2 5TB
    T. 0870 240 1442
    F. 0870 240 1443
    www.holistecs.com
     
     
     
     
     
     
     
     
     
     
     
     
     
     

    -----Original Message-----
    From: Shawn Jackson [mailto:sjackson@horizonusa.com]
    Sent: 24 March 2004 16:25
    To: Patrick Toomey
    Cc: security-basics@securityfocus.com; ksaenz@spinaweb.com.au;
    gillettdavid@fhda.edu
    Subject: RE: Caching a sniffer

    >It was my understanding that port mirroring was introduced because of
    >the inherent differences between a switched environment and a hub
    environment.

    Correct.

    >If someone is running a sniffer on your switched network and has the
    ability
    >to login to your switch, enable port mirroring, and sniff data, you
    have
    >much bigger problems than just having a rogue sniffer on the network.

    Incorrect. A switch is basically a hub and router in one. You can flood
    the
    MAC address table of the switch, where is decides what port has what
    MAC's
    on it so it knows what port to route the traffic to. Once the table is
    full
    switches then 'turn-off' the routing/switching systems and the switch
    then
    becomes a hub. There is a program called macoff that does this. So you
    don't
    need to have access to the switch to sniff the entire network.

    Shawn Jackson
    Systems Administrator
    Horizon USA
    1190 Trademark Dr #107
    Reno NV 89521

    www.horizonusa.com
    Email: sjackson@horizonusa.com
    Phone: (775) 858-2338
           (800) 325-1199 x338

    ------------------------------------------------------------------------

    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off 
    any course! All of our class sizes are guaranteed to be 10 students or
    less 
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field 
    pen testing experience in our state of the art hacking lab. Master the
    skills 
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the
    skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Michael Rundell: "Re: Need help on Spyware"