Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Fri, 17 Jun 2005 14:19:39 +1000
no


arp spoofing is trivial
it has been done for at least 5+ years with easy to use tools. such as
hunt and more recent tools such as ettercap and friends.
it is still dangerous.
arpspoof A<->B and -9   ettercap or whatever and it might take 10-15
minutes before A may communicate with B again.


As for solaris,    though 826 says a host SHOULD use all info to keep
all info up to date,
solaris does not track both requests and responses. solaris will only
use one of those types to keep the arp table uptodate and ignore the
rest. which ones?

Solaris is also peculiar in that once it has entered/modified an arp
entry it will disregard any conflicting arp traffic for X number or ms
  regardless of whether it triews to change the netry or not.


Question:   what does solaris do just prior to timing out an arp entry?  
a, nothing
b, something unicast
c somthing broadcast

answer is b.

On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> Tell me, how can it affect the whole network until unless you are
> doing something so stupid as telling all the machines on the network
> that you are the gateway and you run away.
> 
> did you read the presentation? there is a mention of solaris systems.
> I have mentioned that solaris doesn't update it's arp table so easily.
> but, good thing about ettercap is that it handles most of the things.
> 
> in the presentation -- i am also not depending on ettercap to forward
> packets. i am using kernel's forwarding option. that's also to avoid
> chances of errors from ettercap part. first you are supposed to clear
> arp tables back to it's original and then disable forwarding.
> 
> And most importantly, i am not asking anybody to use it. It's just to
> let people know that arp spoofing is not so obscure and difficult.
> 
> Thanks for comments anyways! I'll add some warning in the end.
> 
> enjoy and chill! :)
> ~manu
> 
> On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > You are wrong.
> >
> > I use    "hunt"   on a regular basis in my labs to do intercept and
> > modify packets   i use it frequently. (hunt==ettercap but it is easier
> > to to intercept and modify) I only use it in a well isolated test lab.
> > Just bloody fill in the hook in arp_spoof.c (in hunt) and modify the
> > packet, then recalculate the tcp/udp and ip checksum and you are ok.
> > That is how i test NFS implementations for protocol specification
> > compliance for corner case compliance.
> >
> > However, there IS a real world chance that people that do not
> > understand what arp spoofing does, to cause a serious disruption of
> > their network infrastructure!
> >
> > Do you know the ARP table timeout for the 10-15 most polular unix
> > versions?  I do.
> > When and why does solaris update its arp table?  on unsolicited
> > requests/responses?   when does it? i know.   version  by version,
> > patch by patch. its my job to know.
> >
> > fact is most people using arpspoofing have no clue of the consequences
> > of it when they just -9 the tool    without first  reloading the
> > arptables with the original entries  and thus cause outages.
> >
> > still, anyone doing it in a prod network is stupid.  they are. no
> > question about it.
> >
> > look,   arpspoofing is potentially VERY disrupting to the network.  DO
> > NOT, please, use it unless it is a non-business critical private
> > network.
> >
> > ==>
> > 1, unless you really really know what you are doing,   arpspoofing is stupid.
> > 2, if you think you know what you are doing 99% probability says you
> > are stupid and just wrong.
> > 3, do you know the consequences of a failed arp spoof attempt in a
> > real production environment?
> > 4, do it on a business critical network and ...
> > 5, DONT arpspoof unless it is your own play test network.
> >
> >
> >
> > On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > > have you ever tried it? i don't think so.
> > >
> > > as i said earlier, you are not going to bring down the whole network
> > > even if something goes wrong. only the communication between the
> > > machines being attacked i.e. target machines  is going to be affected.
> > >
> > > I'll add a warning to the presentation: "this is not for the kids".
> > > It's certainly not for the kids.
> > >
> > > ~manu
> > >
> > > On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > > > start doing arp spoofing and kill ettercap or hunt with a -9  and
> > > > watch the end-to-end outage that occurs and will last until the arp
> > > > entry timeout (10-15 minutes).
> > > >
> > > > very very ugly.
> > > >
> > > > dont dont dont ever do this unless you know what you are doing.
> > > > never ever ever ever do this in a business critical network, ever.
> > > >
> > > >
> > > > On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > > > > I don't believe that. Arp poisoning is not ugly. You can call MAC
> > > > > flooding as ugly, but not ARP poisoning for sure.
> > > > >
> > > > > ARP poisoning does nothing to the switch. Switches work at level 2 and
> > > > > are only concerned about MAC addresses.  They don't come to know that
> > > > > MAC address of a certain IP address has changed.
> > > > >
> > > > > ARP poisoning can confuse only the involved hosts. If gateway is one
> > > > > of those hosts and someone attempting to ARP poison is a kid, then
> > > > > certainly there can be some problems.
> > > > >
> > > > > hth
> > > > > ~manu
> > > > >
> > > > > On 6/16/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> > > > > > Manu Garg wrote:
> > > > > >
> > > > > > >Many of us know that sniffing is possible in a shared i.e.
> > > > > > >non-switched ethernet environment. But only few of us know that
> > > > > > >sniffing is also possible in a switched ethernet environment. One of
> > > > > > >the reasons is that it's not that straighforward. But it's not
> > > > > > >impossible or difficult. You can use man in the middle technique like
> > > > > > >ARP spoofing to sniff in a switched environment.
> > > > > > >
> > > > > > >
> > > > > > >This presentation is an attempt to explain how can somebody sniff in a
> > > > > > >switched ethernet using ARP spoofing. Dsniff has existed for long as a
> > > > > > >tool for various sniffing activities. But recently, tools like
> > > > > > >EttercapNG have made it easier.
> > > > > > >
> > > > > > >
> > > > > > >Link to my original post and presentation -
> > > > > > >http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html
> > > > > > >
> > > > > > >Presentation-
> > > > > > >http://manugarg.freezope.org/notes/arp_spoofing
> > > > > > >
> > > > > > >Please let me know your views on it.
> > > > > > >
> > > > > > >
> > > > > > Yes it is possible, but it is really ugly for it's various side effects.
> > > > > >
> > > > > > Have a look at the information on this topic so far at:
> > > > > > http://wiki.ethereal.com/CaptureSetup_2fEthernet
> > > > > >
> > > > > > As the wiki page says:
> > > > > >
> > > > > > *Please do not try this on any LAN other than your own.*
> > > > > >
> > > > > > Regards, ULFL
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Manu Garg
> > > > > http://manugarg.freezope.org
> > > > > "Truth will set you free!"
> > > > >
> > > > > _______________________________________________
> > > > > Ethereal-users mailing list
> > > > > Ethereal-users@xxxxxxxxxxxx
> > > > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > > > >
> > > >
> > >
> > >
> > > --
> > > Manu Garg
> > > http://manugarg.freezope.org
> > > "Truth will set you free!"
> > >
> >
> 
> 
> --
> Manu Garg
> http://manugarg.freezope.org
> "Truth will set you free!"
>