Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Manu Garg <manugarg@xxxxxxxxx>
Date: Fri, 17 Jun 2005 00:01:19 -0400
Tell me, how can it affect the whole network until unless you are
doing something so stupid as telling all the machines on the network
that you are the gateway and you run away.

did you read the presentation? there is a mention of solaris systems.
I have mentioned that solaris doesn't update it's arp table so easily.
but, good thing about ettercap is that it handles most of the things.

in the presentation -- i am also not depending on ettercap to forward
packets. i am using kernel's forwarding option. that's also to avoid
chances of errors from ettercap part. first you are supposed to clear
arp tables back to it's original and then disable forwarding.

And most importantly, i am not asking anybody to use it. It's just to
let people know that arp spoofing is not so obscure and difficult.

Thanks for comments anyways! I'll add some warning in the end. 

enjoy and chill! :)
~manu

On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> You are wrong.
> 
> I use    "hunt"   on a regular basis in my labs to do intercept and
> modify packets   i use it frequently. (hunt==ettercap but it is easier
> to to intercept and modify) I only use it in a well isolated test lab.
> Just bloody fill in the hook in arp_spoof.c (in hunt) and modify the
> packet, then recalculate the tcp/udp and ip checksum and you are ok.
> That is how i test NFS implementations for protocol specification
> compliance for corner case compliance.
> 
> However, there IS a real world chance that people that do not
> understand what arp spoofing does, to cause a serious disruption of
> their network infrastructure!
> 
> Do you know the ARP table timeout for the 10-15 most polular unix
> versions?  I do.
> When and why does solaris update its arp table?  on unsolicited
> requests/responses?   when does it? i know.   version  by version,
> patch by patch. its my job to know.
> 
> fact is most people using arpspoofing have no clue of the consequences
> of it when they just -9 the tool    without first  reloading the
> arptables with the original entries  and thus cause outages.
> 
> still, anyone doing it in a prod network is stupid.  they are. no
> question about it.
> 
> look,   arpspoofing is potentially VERY disrupting to the network.  DO
> NOT, please, use it unless it is a non-business critical private
> network.
> 
> ==>
> 1, unless you really really know what you are doing,   arpspoofing is stupid.
> 2, if you think you know what you are doing 99% probability says you
> are stupid and just wrong.
> 3, do you know the consequences of a failed arp spoof attempt in a
> real production environment?
> 4, do it on a business critical network and ...
> 5, DONT arpspoof unless it is your own play test network.
> 
> 
> 
> On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > have you ever tried it? i don't think so.
> >
> > as i said earlier, you are not going to bring down the whole network
> > even if something goes wrong. only the communication between the
> > machines being attacked i.e. target machines  is going to be affected.
> >
> > I'll add a warning to the presentation: "this is not for the kids".
> > It's certainly not for the kids.
> >
> > ~manu
> >
> > On 6/16/05, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
> > > start doing arp spoofing and kill ettercap or hunt with a -9  and
> > > watch the end-to-end outage that occurs and will last until the arp
> > > entry timeout (10-15 minutes).
> > >
> > > very very ugly.
> > >
> > > dont dont dont ever do this unless you know what you are doing.
> > > never ever ever ever do this in a business critical network, ever.
> > >
> > >
> > > On 6/17/05, Manu Garg <manugarg@xxxxxxxxx> wrote:
> > > > I don't believe that. Arp poisoning is not ugly. You can call MAC
> > > > flooding as ugly, but not ARP poisoning for sure.
> > > >
> > > > ARP poisoning does nothing to the switch. Switches work at level 2 and
> > > > are only concerned about MAC addresses.  They don't come to know that
> > > > MAC address of a certain IP address has changed.
> > > >
> > > > ARP poisoning can confuse only the involved hosts. If gateway is one
> > > > of those hosts and someone attempting to ARP poison is a kid, then
> > > > certainly there can be some problems.
> > > >
> > > > hth
> > > > ~manu
> > > >
> > > > On 6/16/05, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
> > > > > Manu Garg wrote:
> > > > >
> > > > > >Many of us know that sniffing is possible in a shared i.e.
> > > > > >non-switched ethernet environment. But only few of us know that
> > > > > >sniffing is also possible in a switched ethernet environment. One of
> > > > > >the reasons is that it's not that straighforward. But it's not
> > > > > >impossible or difficult. You can use man in the middle technique like
> > > > > >ARP spoofing to sniff in a switched environment.
> > > > > >
> > > > > >
> > > > > >This presentation is an attempt to explain how can somebody sniff in a
> > > > > >switched ethernet using ARP spoofing. Dsniff has existed for long as a
> > > > > >tool for various sniffing activities. But recently, tools like
> > > > > >EttercapNG have made it easier.
> > > > > >
> > > > > >
> > > > > >Link to my original post and presentation -
> > > > > >http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html
> > > > > >
> > > > > >Presentation-
> > > > > >http://manugarg.freezope.org/notes/arp_spoofing
> > > > > >
> > > > > >Please let me know your views on it.
> > > > > >
> > > > > >
> > > > > Yes it is possible, but it is really ugly for it's various side effects.
> > > > >
> > > > > Have a look at the information on this topic so far at:
> > > > > http://wiki.ethereal.com/CaptureSetup_2fEthernet
> > > > >
> > > > > As the wiki page says:
> > > > >
> > > > > *Please do not try this on any LAN other than your own.*
> > > > >
> > > > > Regards, ULFL
> > > > >
> > > >
> > > >
> > > > --
> > > > Manu Garg
> > > > http://manugarg.freezope.org
> > > > "Truth will set you free!"
> > > >
> > > > _______________________________________________
> > > > Ethereal-users mailing list
> > > > Ethereal-users@xxxxxxxxxxxx
> > > > http://www.ethereal.com/mailman/listinfo/ethereal-users
> > > >
> > >
> >
> >
> > --
> > Manu Garg
> > http://manugarg.freezope.org
> > "Truth will set you free!"
> >
> 


-- 
Manu Garg
http://manugarg.freezope.org
"Truth will set you free!"