Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Fri, 17 Jun 2005 13:39:47 +1000
You are wrong. 

I use    "hunt"   on a regular basis in my labs to do intercept and
modify packets   i use it frequently. (hunt==ettercap but it is easier
to to intercept and modify) I only use it in a well isolated test lab.
Just bloody fill in the hook in arp_spoof.c (in hunt) and modify the
packet, then recalculate the tcp/udp and ip checksum and you are ok.
That is how i test NFS implementations for protocol specification
compliance for corner case compliance.

However, there IS a real world chance that people that do not
understand what arp spoofing does, to cause a serious disruption of
their network infrastructure!

Do you know the ARP table timeout for the 10-15 most polular unix
versions?  I do.
When and why does solaris update its arp table?  on unsolicited
requests/responses?   when does it? i know.   version  by version,
patch by patch. its my job to know.

fact is most people using arpspoofing have no clue of the consequences
of it when they just -9 the tool    without first  reloading the
arptables with the original entries  and thus cause outages.

still, anyone doing it in a prod network is stupid.  they are. no
question about it.

look,   arpspoofing is potentially VERY disrupting to the network.  DO
NOT, please, use it unless it is a non-business critical private
network.

==>
1, unless you really really know what you are doing,   arpspoofing is stupid.
2, if you think you know what you are doing 99% probability says you
are stupid and just wrong.
3, do you know the consequences of a failed arp spoof attempt in a
real production environment?
4, do it on a business critical network and ...
5, DONT arpspoof unless it is your own play test network.



On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> have you ever tried it? i don't think so.
> 
> as i said earlier, you are not going to bring down the whole network
> even if something goes wrong. only the communication between the
> machines being attacked i.e. target machines  is going to be affected.
> 
> I'll add a warning to the presentation: "this is not for the kids".
> It's certainly not for the kids.
> 
> ~manu
> 
> On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > start doing arp spoofing and kill ettercap or hunt with a -9  and
> > watch the end-to-end outage that occurs and will last until the arp
> > entry timeout (10-15 minutes).
> >
> > very very ugly.
> >
> > dont dont dont ever do this unless you know what you are doing.
> > never ever ever ever do this in a business critical network, ever.
> >
> >
> > On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > > I don't believe that. Arp poisoning is not ugly. You can call MAC
> > > flooding as ugly, but not ARP poisoning for sure.
> > >
> > > ARP poisoning does nothing to the switch. Switches work at level 2 and
> > > are only concerned about MAC addresses.  They don't come to know that
> > > MAC address of a certain IP address has changed.
> > >
> > > ARP poisoning can confuse only the involved hosts. If gateway is one
> > > of those hosts and someone attempting to ARP poison is a kid, then
> > > certainly there can be some problems.
> > >
> > > hth
> > > ~manu
> > >
> > > On 6/16/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> > > > Manu Garg wrote:
> > > >
> > > > >Many of us know that sniffing is possible in a shared i.e.
> > > > >non-switched ethernet environment. But only few of us know that
> > > > >sniffing is also possible in a switched ethernet environment. One of
> > > > >the reasons is that it's not that straighforward. But it's not
> > > > >impossible or difficult. You can use man in the middle technique like
> > > > >ARP spoofing to sniff in a switched environment.
> > > > >
> > > > >
> > > > >This presentation is an attempt to explain how can somebody sniff in a
> > > > >switched ethernet using ARP spoofing. Dsniff has existed for long as a
> > > > >tool for various sniffing activities. But recently, tools like
> > > > >EttercapNG have made it easier.
> > > > >
> > > > >
> > > > >Link to my original post and presentation -
> > > > >http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html
> > > > >
> > > > >Presentation-
> > > > >http://manugarg.freezope.org/notes/arp_spoofing
> > > > >
> > > > >Please let me know your views on it.
> > > > >
> > > > >
> > > > Yes it is possible, but it is really ugly for it's various side effects.
> > > >
> > > > Have a look at the information on this topic so far at:
> > > > http://wiki.ethereal.com/CaptureSetup_2fEthernet
> > > >
> > > > As the wiki page says:
> > > >
> > > > *Please do not try this on any LAN other than your own.*
> > > >
> > > > Regards, ULFL
> > > >
> > >
> > >
> > > --
> > > Manu Garg
> > > http://manugarg.freezope.org
> > > "Truth will set you free!"
> > >
> > > _______________________________________________
> > > Ethereal-users mailing list
> > > Ethereal-users@xxxxxxxxxxxx
> > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > >
> >
> 
> 
> --
> Manu Garg
> http://manugarg.freezope.org
> "Truth will set you free!"
>