8735299 2002-07-16 06:37 -0400  /39 rader/ <alaric@alaricsecurity.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-16  20:31  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23106>
Markerad av 1 person.
Ärende: Sniffable Switch Project
------------------------------------------------------------
From: alaric@alaricsecurity.com
To: bugtraq@securityfocus.com
Message-ID: <200207161037.g6GAbGJ19089@helium.can-host.com>

Hello,

Most people believe that switches are secure because they are immune
from sinffers. Vendors advertise this false security and admins take
their word for it.

We in the security community know differently. That is why I am
starting something called the "Sinffable Switch Project." This
project will consist of a maintained listing of switches - and
relevant information about them - and if the switch is susceptible to
being sniffed. The project's success will be contingent upon the
community's participation.

If you decided to participate, please include all information about
the switch(es) you tested (e.g. manufacture, model, managed or
unmanaged, how many ports, firmware/OS version, etc.). Please also
include what you tested for
- ARP spoofing, MAC flooding, MAC duplicating, or the like -  and
what the results were.

For those of you that would like to contribute but are not exactly
sure how to go about testing your switch(es), please refer to the
following links:

Papers:
http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm
http://www.alaricsecurity.com/sniffer-v2.html

Tools:
http://ettercap.sourceforge.net
http://www.monkey.org/~dugsong/dsniff

The location for this project is at:
http://www.alaricsecurity.com/ssp.html

Please email results to: alaric@alaricsecurity.com

Sincerely,
Alaric
(8735299) /<alaric@alaricsecurity.com>/---(Ombruten)
Kommentar i text 8736196 av Cedric Blancher <blancher@cartel-securite.fr>
Kommentar i text 8736198 av Frédéric Raynal <frederic.raynal@inria.fr>
8736196 2002-07-16 20:38 +0200  /28 rader/ Cedric Blancher <blancher@cartel-securite.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-16  23:38  av Brevbäraren
Extern mottagare: alaric@alaricsecurity.com
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23108>
Kommentar till text 8735299 av <alaric@alaricsecurity.com>
Ärende: Re: Sniffable Switch Project
------------------------------------------------------------
From: Cedric Blancher <blancher@cartel-securite.fr>
To: alaric@alaricsecurity.com
Cc: bugtraq@securityfocus.com
Message-ID: <1026844737.4003.20.camel@elendil>

Le mar 16/07/2002 à 12:37, alaric@alaricsecurity.com a écrit :
> If you decided to participate, please include all information about the
> switch(es) you tested (e.g. manufacture, model, managed or unmanaged, how many
> ports, firmware/OS version, etc.). Please also include what you tested for
> - ARP spoofing, MAC flooding, MAC duplicating, or the like -  and what the
> results were.

All switches are "sniffable" if you use ARP cache poisoning tools such
as arpspoof from dsniff package or arp-sk.

And sniffing is the little part of the problem, as you can do far more
than simply look what's going on.

Just see http://www.arp-sk.org/ which is a excerpt from an article
written for a french security magazine.

--  Cédric Blancher Consultant sécurité systèmes et réseaux  - Cartel
Sécurité Tél: 01 44 06 97 87 - Fax: 01 44 06 97 99 PGP KeyID:157E98EE
FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
(8736196) /Cedric Blancher <blancher@cartel-securite.fr>/(Ombruten)
8736198 2002-07-16 21:50 +0200  /91 rader/ Frédéric Raynal <frederic.raynal@inria.fr>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-16  23:38  av Brevbäraren
Extern mottagare: alaric@alaricsecurity.com
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: Frédéric Raynal <pappy@miscmag.com>
Extern kopiemottagare: Eric Detoisien <valgasu@club-internet.fr>
Extern kopiemottagare: Cedric Blancher <blancher@cartel-securite.fr>
Mottagare: Bugtraq (import) <23109>
Kommentar till text 8735299 av <alaric@alaricsecurity.com>
Ärende: Re: Sniffable Switch Project
------------------------------------------------------------
From: Frédéric Raynal <frederic.raynal@inria.fr>
To: alaric@alaricsecurity.com
Cc: bugtraq@securityfocus.com,
 Frédéric Raynal <pappy@miscmag.com>,
 Eric Detoisien <valgasu@club-internet.fr>,
 Cedric Blancher <blancher@cartel-securite.fr>
Message-ID: <20020716215035.A17380@minimum.inria.fr>


	Hello, 

On Tue, Jul 16, 2002 at 06:37:16AM -0400, alaric@alaricsecurity.com wrote:
> 
> If you decided to participate, please include all information about the
> switch(es) you tested (e.g. manufacture, model, managed or unmanaged, how many
> ports, firmware/OS version, etc.). Please also include what you tested for
> - ARP spoofing, MAC flooding, MAC duplicating, or the like -  and what the
> results were.


For an article recently published in a French magazine on security, I 
also work on something very similar. Our (our = the 3 authors) goal
was to
detail all what you can do with the protocol ARP. Of course, sniffing 
is one thing, but there are many more.

Another not so well known issue about ARP is the handling of messages
according to the OS. Some of them (some Windows, IOS 12, OpenBSD 3.0)
create new entries in their cache when they receive an reply (even
unsolicited) , while others do not (Linux for instance). Note that the
creation is the correct behavior according to the RFC.

So, there are in fact many thing to mention with ARP :
  - switches that fail open like hubs when they are flooded
  - OS that are RFC compliant
  - and so on for various attacks...

A short summary of the article is available on
http://www.arp-sk.org. We show that ARP is not only efficient for
sniffing, and that you can have really fun with that protocol.

arp-sk is a Swiss army knife for the handling of ARP messages based on
the latest libnet-1.1.0beta. Among cool features, you can notice :

  - complete control of all addresses either on Ethernet layer or ARP
    itself 
  - target assignment is made at Ethernet layer, but either with
    target's MAC or IP
  - complete control of the randomization of the 6 addresses (2 with
    Ethernet, 4 with ARP), i.e. you can set some addresses and
    randomize those you want
  - control the period of time for sending packets (from very slow to
    fury mode), and randomize the interval

Even if it is still under development, it is already functional.


Lastly, note that ARP messages can be used to detect promiscuous
cards on a network. To check a target, the trick is to send an ARP
query with all valid information in the ARP message, but with a fake
Ethernet destination address.

  Ethernet dst  FF:FF:FF:FF:FF:FE
  Ethernet src  <my Ethernet address>
  ARP mode      Who-has ?
  ARP dst eth   00:00:00:00:00:00
  ARP dst IP    <IP of the target>
  ARP src eth   <my Ethernet address>
  ARP src IP    <my IP>

If the target answers, it is very likely that it is in promiscuous
mode. 

I've also tested that solution with icmp echo-request (target was a
Linux-2.4), but that did not success. I had no time to investigate any
further but it used to work with kernel 2.2. I had no time to check if
this behavior came from the change of the kernel or from something
else.


Regards

--
Frederic RAYNAL, Ph.D.
http://minimum.inria.fr/~raynal
Chief Editor of M.I.S.C.
Multi-Systems & Internet Security Cookbook
(8736198) /Frédéric Raynal <frederic.raynal@inria.fr>/
8740121 2002-07-17 12:37 +0200  /24 rader/ martin f krafft <madduck@madduck.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-17  17:54  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23119>
Kommentar till text 8736196 av Cedric Blancher <blancher@cartel-securite.fr>
Ärende: Re: Sniffable Switch Project
------------------------------------------------------------
From: martin f krafft <madduck@madduck.net>
To: bugtraq@securityfocus.com
Message-ID: <20020717103740.GA20352@fishbowl.madduck.net>

also sprach Cedric Blancher <blancher@cartel-securite.fr> [2002.07.16.2038 +0200]:
> All switches are "sniffable" if you use ARP cache poisoning tools such
> as arpspoof from dsniff package or arp-sk.

Wrong. More expensive switches by Cisco, HP, or others employ various
techniques against ARP cache poisoning. These range from port locking
when the MAC table changes (not applicable to a dynamic environment)
up to adaptive cache cleaning methods that prevent the cache from ever
filling up. And any switch above the $50 price range will employ
a hashmap for the ARP cache rather than a table-per-port approach.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
"the human brain is like an enormous fish --
 it is flat and slimy
 and has gills through which it can see."
                                                       -- monty python
(8740121) /martin f krafft <madduck@madduck.net>/---
Bilaga (application/pgp-signature) i text 8740122
8740122 2002-07-17 12:37 +0200  /9 rader/ martin f krafft <madduck@madduck.net>
Importerad: 2002-07-17  17:54  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23120>
Bilaga (text/plain) till text 8740121
Ärende: Bilaga till: Re: Sniffable Switch Project
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj01SPQACgkQIgvIgzMMSnVz3gCfbDePeJma9iPPQxgIAkKK3AXQ
N5gAoJx0uyUkY4B5WvWq5FwCU4gfrGWN
=FuA8
-----END PGP SIGNATURE-----
(8740122) /martin f krafft <madduck@madduck.net>/---
8745400 2002-07-17 20:47 +0200  /25 rader/ martin f krafft <madduck@madduck.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-18  18:55  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23131>
Kommentar till text 8740121 av martin f krafft <madduck@madduck.net>
Ärende: Re: Sniffable Switch Project
------------------------------------------------------------
From: martin f krafft <madduck@madduck.net>
To: bugtraq@securityfocus.com
Message-ID: <20020717184735.GA24605@fishbowl.madduck.net>

Dear Bugtraq'ers, 
I apologize for my last post since it was just plain wrong. ARP and
MAC are not to be confused, and I did just that. Call it momentary
stupidity, but please excuse it afterwards ;^>

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
  
*** important disclaimer:
by sending an email to any address, that will eventually cause it to
end up in my inbox without much interaction, you are agreeing that:
        
  - i am by definition, "the intended recipient"
  - all information in the email is mine to do with as i see fit and
    make such financial profit, political mileage, or good joke as it
    lends itself to. in particular, i may quote it on usenet.
  - i may take the contents as representing the views of your company.
  - this overrides any disclaimer or statement of confidentiality that
    may be included on your message.
(8745400) /martin f krafft <madduck@madduck.net>/---
Bilaga (application/pgp-signature) i text 8745401
8745401 2002-07-17 20:47 +0200  /9 rader/ martin f krafft <madduck@madduck.net>
Importerad: 2002-07-18  18:55  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23132>
Bilaga (text/plain) till text 8745400
Ärende: Bilaga till: Re: Sniffable Switch Project
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj01u8cACgkQIgvIgzMMSnW8gACg34LSteRYPydp6LLPgZHSkl3V
xggAoOoLVcUd9O6CxNaRPOAJdgXZi5Xk
=yHWE
-----END PGP SIGNATURE-----
(8745401) /martin f krafft <madduck@madduck.net>/---