[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Caching a sniffer

To: Mike Fratto <mfratto@xxxxxxx>
Subject: RE: [Full-Disclosure] Caching a sniffer
From: Kenton Smith <ksmith@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Mar 2004 11:01:19 -0700

On Thu, 2004-03-11 at 10:43, Mike Fratto wrote:

> Your assuming that the attacker 1) has control of the switch and 2) is
> sniffing either the uplink or has configured the switch to mirror all the
> switch ports or VLAN to the mirror port. 
> 
> Neither of which may be the case.

There are many people on this list who have more knowledge of this than
I do, but having control of the switch isn't the only way to sniff a
switched network. All you need is a way of spoofing ARP packets and you
can intercept all the traffic you want. Here's one such set of tools -
http://naughty.monkey.org/~dugsong/dsniff/

Kenton

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Caching a sniffer
  - From: David Bartholomew

References:
- RE: [Full-Disclosure] Caching a sniffer
  - From: Mike Fratto

Prev by Date: RE: [Full-Disclosure] Meth and hacking?[Scanned]
Next by Date: [Full-Disclosure] [SECURITY] [DSA 461-1] New calife packages fix buffer overflow
Previous by thread: RE: [Full-Disclosure] Caching a sniffer
Next by thread: RE: [Full-Disclosure] Caching a sniffer
Index(es):
- Date
- Thread