8735299 2002-07-16 06:37 -0400 /39 rader/ <alaric@alaricsecurity.com> Sänt av: joel@lysator.liu.se Importerad: 2002-07-16 20:31 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23106> Markerad av 1 person. Ärende: Sniffable Switch Project ------------------------------------------------------------ From: alaric@alaricsecurity.com To: bugtraq@securityfocus.com Message-ID: <200207161037.g6GAbGJ19089@helium.can-host.com> Hello, Most people believe that switches are secure because they are immune from sinffers. Vendors advertise this false security and admins take their word for it. We in the security community know differently. That is why I am starting something called the "Sinffable Switch Project." This project will consist of a maintained listing of switches - and relevant information about them - and if the switch is susceptible to being sniffed. The project's success will be contingent upon the community's participation. If you decided to participate, please include all information about the switch(es) you tested (e.g. manufacture, model, managed or unmanaged, how many ports, firmware/OS version, etc.). Please also include what you tested for - ARP spoofing, MAC flooding, MAC duplicating, or the like - and what the results were. For those of you that would like to contribute but are not exactly sure how to go about testing your switch(es), please refer to the following links: Papers: http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm http://www.alaricsecurity.com/sniffer-v2.html Tools: http://ettercap.sourceforge.net http://www.monkey.org/~dugsong/dsniff The location for this project is at: http://www.alaricsecurity.com/ssp.html Please email results to: alaric@alaricsecurity.com Sincerely, Alaric (8735299) /<alaric@alaricsecurity.com>/---(Ombruten) Kommentar i text 8736196 av Cedric Blancher <blancher@cartel-securite.fr> Kommentar i text 8736198 av Frédéric Raynal <frederic.raynal@inria.fr> 8736196 2002-07-16 20:38 +0200 /28 rader/ Cedric Blancher <blancher@cartel-securite.fr> Sänt av: joel@lysator.liu.se Importerad: 2002-07-16 23:38 av Brevbäraren Extern mottagare: alaric@alaricsecurity.com Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23108> Kommentar till text 8735299 av <alaric@alaricsecurity.com> Ärende: Re: Sniffable Switch Project ------------------------------------------------------------ From: Cedric Blancher <blancher@cartel-securite.fr> To: alaric@alaricsecurity.com Cc: bugtraq@securityfocus.com Message-ID: <1026844737.4003.20.camel@elendil> Le mar 16/07/2002 à 12:37, alaric@alaricsecurity.com a écrit : > If you decided to participate, please include all information about the > switch(es) you tested (e.g. manufacture, model, managed or unmanaged, how many > ports, firmware/OS version, etc.). Please also include what you tested for > - ARP spoofing, MAC flooding, MAC duplicating, or the like - and what the > results were. All switches are "sniffable" if you use ARP cache poisoning tools such as arpspoof from dsniff package or arp-sk. And sniffing is the little part of the problem, as you can do far more than simply look what's going on. Just see http://www.arp-sk.org/ which is a excerpt from an article written for a french security magazine. -- Cédric Blancher Consultant sécurité systèmes et réseaux - Cartel Sécurité Tél: 01 44 06 97 87 - Fax: 01 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE (8736196) /Cedric Blancher <blancher@cartel-securite.fr>/(Ombruten) 8736198 2002-07-16 21:50 +0200 /91 rader/ Frédéric Raynal <frederic.raynal@inria.fr> Sänt av: joel@lysator.liu.se Importerad: 2002-07-16 23:38 av Brevbäraren Extern mottagare: alaric@alaricsecurity.com Extern kopiemottagare: bugtraq@securityfocus.com Extern kopiemottagare: Frédéric Raynal <pappy@miscmag.com> Extern kopiemottagare: Eric Detoisien <valgasu@club-internet.fr> Extern kopiemottagare: Cedric Blancher <blancher@cartel-securite.fr> Mottagare: Bugtraq (import) <23109> Kommentar till text 8735299 av <alaric@alaricsecurity.com> Ärende: Re: Sniffable Switch Project ------------------------------------------------------------ From: Frédéric Raynal <frederic.raynal@inria.fr> To: alaric@alaricsecurity.com Cc: bugtraq@securityfocus.com, Frédéric Raynal <pappy@miscmag.com>, Eric Detoisien <valgasu@club-internet.fr>, Cedric Blancher <blancher@cartel-securite.fr> Message-ID: <20020716215035.A17380@minimum.inria.fr> Hello, On Tue, Jul 16, 2002 at 06:37:16AM -0400, alaric@alaricsecurity.com wrote: > > If you decided to participate, please include all information about the > switch(es) you tested (e.g. manufacture, model, managed or unmanaged, how many > ports, firmware/OS version, etc.). Please also include what you tested for > - ARP spoofing, MAC flooding, MAC duplicating, or the like - and what the > results were. For an article recently published in a French magazine on security, I also work on something very similar. Our (our = the 3 authors) goal was to detail all what you can do with the protocol ARP. Of course, sniffing is one thing, but there are many more. Another not so well known issue about ARP is the handling of messages according to the OS. Some of them (some Windows, IOS 12, OpenBSD 3.0) create new entries in their cache when they receive an reply (even unsolicited) , while others do not (Linux for instance). Note that the creation is the correct behavior according to the RFC. So, there are in fact many thing to mention with ARP : - switches that fail open like hubs when they are flooded - OS that are RFC compliant - and so on for various attacks... A short summary of the article is available on http://www.arp-sk.org. We show that ARP is not only efficient for sniffing, and that you can have really fun with that protocol. arp-sk is a Swiss army knife for the handling of ARP messages based on the latest libnet-1.1.0beta. Among cool features, you can notice : - complete control of all addresses either on Ethernet layer or ARP itself - target assignment is made at Ethernet layer, but either with target's MAC or IP - complete control of the randomization of the 6 addresses (2 with Ethernet, 4 with ARP), i.e. you can set some addresses and randomize those you want - control the period of time for sending packets (from very slow to fury mode), and randomize the interval Even if it is still under development, it is already functional. Lastly, note that ARP messages can be used to detect promiscuous cards on a network. To check a target, the trick is to send an ARP query with all valid information in the ARP message, but with a fake Ethernet destination address. Ethernet dst FF:FF:FF:FF:FF:FE Ethernet src <my Ethernet address> ARP mode Who-has ? ARP dst eth 00:00:00:00:00:00 ARP dst IP <IP of the target> ARP src eth <my Ethernet address> ARP src IP <my IP> If the target answers, it is very likely that it is in promiscuous mode. I've also tested that solution with icmp echo-request (target was a Linux-2.4), but that did not success. I had no time to investigate any further but it used to work with kernel 2.2. I had no time to check if this behavior came from the change of the kernel or from something else. Regards -- Frederic RAYNAL, Ph.D. http://minimum.inria.fr/~raynal Chief Editor of M.I.S.C. Multi-Systems & Internet Security Cookbook (8736198) /Frédéric Raynal <frederic.raynal@inria.fr>/ 8740121 2002-07-17 12:37 +0200 /24 rader/ martin f krafft <madduck@madduck.net> Sänt av: joel@lysator.liu.se Importerad: 2002-07-17 17:54 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23119> Kommentar till text 8736196 av Cedric Blancher <blancher@cartel-securite.fr> Ärende: Re: Sniffable Switch Project ------------------------------------------------------------ From: martin f krafft <madduck@madduck.net> To: bugtraq@securityfocus.com Message-ID: <20020717103740.GA20352@fishbowl.madduck.net> also sprach Cedric Blancher <blancher@cartel-securite.fr> [2002.07.16.2038 +0200]: > All switches are "sniffable" if you use ARP cache poisoning tools such > as arpspoof from dsniff package or arp-sk. Wrong. More expensive switches by Cisco, HP, or others employ various techniques against ARP cache poisoning. These range from port locking when the MAC table changes (not applicable to a dynamic environment) up to adaptive cache cleaning methods that prevent the cache from ever filling up. And any switch above the $50 price range will employ a hashmap for the ARP cache rather than a table-per-port approach. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck "the human brain is like an enormous fish -- it is flat and slimy and has gills through which it can see." -- monty python (8740121) /martin f krafft <madduck@madduck.net>/--- Bilaga (application/pgp-signature) i text 8740122 8740122 2002-07-17 12:37 +0200 /9 rader/ martin f krafft <madduck@madduck.net> Importerad: 2002-07-17 17:54 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23120> Bilaga (text/plain) till text 8740121 Ärende: Bilaga till: Re: Sniffable Switch Project ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj01SPQACgkQIgvIgzMMSnVz3gCfbDePeJma9iPPQxgIAkKK3AXQ N5gAoJx0uyUkY4B5WvWq5FwCU4gfrGWN =FuA8 -----END PGP SIGNATURE----- (8740122) /martin f krafft <madduck@madduck.net>/--- 8745400 2002-07-17 20:47 +0200 /25 rader/ martin f krafft <madduck@madduck.net> Sänt av: joel@lysator.liu.se Importerad: 2002-07-18 18:55 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23131> Kommentar till text 8740121 av martin f krafft <madduck@madduck.net> Ärende: Re: Sniffable Switch Project ------------------------------------------------------------ From: martin f krafft <madduck@madduck.net> To: bugtraq@securityfocus.com Message-ID: <20020717184735.GA24605@fishbowl.madduck.net> Dear Bugtraq'ers, I apologize for my last post since it was just plain wrong. ARP and MAC are not to be confused, and I did just that. Call it momentary stupidity, but please excuse it afterwards ;^> -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck *** important disclaimer: by sending an email to any address, that will eventually cause it to end up in my inbox without much interaction, you are agreeing that: - i am by definition, "the intended recipient" - all information in the email is mine to do with as i see fit and make such financial profit, political mileage, or good joke as it lends itself to. in particular, i may quote it on usenet. - i may take the contents as representing the views of your company. - this overrides any disclaimer or statement of confidentiality that may be included on your message. (8745400) /martin f krafft <madduck@madduck.net>/--- Bilaga (application/pgp-signature) i text 8745401 8745401 2002-07-17 20:47 +0200 /9 rader/ martin f krafft <madduck@madduck.net> Importerad: 2002-07-18 18:55 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23132> Bilaga (text/plain) till text 8745400 Ärende: Bilaga till: Re: Sniffable Switch Project ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj01u8cACgkQIgvIgzMMSnW8gACg34LSteRYPydp6LLPgZHSkl3V xggAoOoLVcUd9O6CxNaRPOAJdgXZi5Xk =yHWE -----END PGP SIGNATURE----- (8745401) /martin f krafft <madduck@madduck.net>/---