driveingnow Posted June 11, 2006 Share Posted June 11, 2006 I am takeing a network Security class (Really I am) and my teacher was talking about using swith sniffer to see who was doing what on the network. The only thing is he uses a corp. program that cost BIG!!! bucks. I was wondering if there was any free (or open source) program that would let me do the same on my own network at home. I promis I am not a hacker looking to do wrong I just want to learn how hackers think so I can learn how to stop them. Thanks for any and all help..... Quote Link to comment Share on other sites More sharing options...
Shaun Posted June 11, 2006 Share Posted June 11, 2006 Yes, those damn hackers hacking everything up! They must be stopped. Quote Link to comment Share on other sites More sharing options...
Sparda Posted June 11, 2006 Share Posted June 11, 2006 I'm thinking he's using a darknet of some kind... Quote Link to comment Share on other sites More sharing options...
driveingnow Posted June 11, 2006 Author Share Posted June 11, 2006 I'm thinking he's using a darknet of some kind... here I am trying to be serious and wanting to help people and your being a smart alick. Please if your not going to post the answer or help in some way just don't bother posting at all. (On this post, I don't prosume to set the rules for the board I am just asking) Quote Link to comment Share on other sites More sharing options...
cooper Posted June 11, 2006 Share Posted June 11, 2006 Can you even sniff a switch? Isn't the whole idea that you only see the traffic that is actually directed at your machine? With ARP poisoning you can get the other person's traffic sent to you, but you wouldn't be able to forward it to the original recipient since you'd have to go through your now poisoned device. Quote Link to comment Share on other sites More sharing options...
manuel Posted June 11, 2006 Share Posted June 11, 2006 You can, if the switch allows for port mirroring. Quote Link to comment Share on other sites More sharing options...
cooper Posted June 11, 2006 Share Posted June 11, 2006 But wouldn't the switch administrator deliberately have to enable that? I can't imagine there being a good reason to allow a user to do such a thing at his or her own discretion. Quote Link to comment Share on other sites More sharing options...
barrytone Posted June 11, 2006 Share Posted June 11, 2006 I've heard you can force some switches to go into a 'hub mode' so to speak, by flooding them with too many mac addresses. I'm not sure how common this is, or whether it actually works, mind :) Quote Link to comment Share on other sites More sharing options...
Sparda Posted June 12, 2006 Share Posted June 12, 2006 I'm thinking he's using a darknet of some kind... here I am trying to be serious and wanting to help people and your being a smart alick. Please if your not going to post the answer or help in some way just don't bother posting at all. (On this post, I don't prosume to set the rules for the board I am just asking) That was a seriuse answer... it might also have been a honeynet (yes, this is a seriuse answer). Now who looks like a fool? Quote Link to comment Share on other sites More sharing options...
jollyrancher82 Posted June 12, 2006 Share Posted June 12, 2006 http://en.wikipedia.org/wiki/Darknet Quote Link to comment Share on other sites More sharing options...
driveingnow Posted June 12, 2006 Author Share Posted June 12, 2006 I'm thinking he's using a darknet of some kind... here I am trying to be serious and wanting to help people and your being a smart alick. Please if your not going to post the answer or help in some way just don't bother posting at all. (On this post, I don't prosume to set the rules for the board I am just asking) That was a seriuse answer... it might also have been a honeynet (yes, this is a seriuse answer). Now who looks like a fool? Ok sorry about that but just the way that was worded I thought you were saying that even though I said I was using it for good I really wanted to use it for bad. However in reading up on Darknets, you are sort of right the only differance is that know one else is on my network but me. However I have two computers on the network. One for spying on the other and one to login to aim yahoo msn mb ect. Just to see what I get. My apolagies for before. I just missunderstood you I had not heard of a Darknet before. However know body has really answered my Q?. So if any one knows of a free Switch Sniffer please let me know... Thanks Quote Link to comment Share on other sites More sharing options...
cooper Posted June 12, 2006 Share Posted June 12, 2006 However know body has really answered my Q?. So if any one knows of a free Switch Sniffer please let me know... I still don't really believe it can be done. Unless both machines are attached to the same port of the switch using a hub, or by emulating a second instance of a computer running on the same machine as is possible with for instance VMWare. In both cases a regular packet sniffer would be able to get all the data. Do you have a name for the pricy software that you mentioned in your opening post? Quote Link to comment Share on other sites More sharing options...
Miles Posted June 12, 2006 Share Posted June 12, 2006 if it's a managed switch most of them have an option to set a port as "monitor port" at least i can do thet with my hp procurve switch. You can set the ports that you want to monitor the traffic going through and then the switch will also send that traffic of those ports to your monitor port so you can sniff it. Quote Link to comment Share on other sites More sharing options...
manuel Posted June 12, 2006 Share Posted June 12, 2006 if it's a managed switch most of them have an option to set a port as "monitor port" at least i can do thet with my hp procurve switch. You can set the ports that you want to monitor the traffic going through and then the switch will also send that traffic of those ports to your monitor port so you can sniff it. That's exactly what I meant -- the only difference is it doesn't always take an admin to enable the option. Quote Link to comment Share on other sites More sharing options...
cooper Posted June 12, 2006 Share Posted June 12, 2006 Or a big pricy tool to turn it on. I'm assuming you're trying to do something in an environment that was set up by someone capable who (sensibly) assumed this environment to be hostile. So you don't get the monitor port unless you get the switch to activate it for you, like Manuel suggests. In such a scenario, I don't see how you can sniff off of a switch. What you guys are suggesting is to get the switch to play hub (from your p.o.v.). In that case this thread has been misnamed and the only tool you need is any basic sniffer. Quote Link to comment Share on other sites More sharing options...
jalada Posted June 13, 2006 Share Posted June 13, 2006 I think someone mentioned it, but doesn't ARP Poisoning allow you to "sniff" a switched network? Particularly if the switch is managed and so has an IP address. Or is this a case of RTFP? Quote Link to comment Share on other sites More sharing options...
cooper Posted June 13, 2006 Share Posted June 13, 2006 http://www.grc.com/nat/arp.htm Looks like I was wrong. Reading the above I think it's something like this. Your LAN uses Ethernet packets which encapsulate IP packets. The Ethernet packets contain a MAC address which is the unique address of your network adapter, and as far as the switch or hub is concerned there is no correllation between IP and MAC address. These devices only know about the Ethernet part, and blindly forward packets to the port on which they know that MAC address lives. When Target sends out a packet to Destination, it uses its ARP Cache to get the MAC address of the Destination, places the IP packet for it in the Ethernet packet with this MAC address, and sends it on its way. Destination does a similar thing for sending the data back. When you poison the ARP caches of Target and Destination, you can get them to wrap their IP packets in an Ethernet packet aimed at you. YOUR ARP cache is clean, and contains the correct MAC address for both machines, allowing you to retransmit the packets to their intended recipients, and none would be the wiser. So what it basically boils down to is that ARP poisoning behind a switch is just as easy as behind a hub. And you shouldn't need any specialist big bucks tool to get it going either. Any tool will do. You only need to know the IP and MAC address of the target, the IP and MAC address of the destination (such as the internet gateway) and take it from there. Finding the correct values for those might be trickier behind a switch though. Quote Link to comment Share on other sites More sharing options...
driveingnow Posted June 13, 2006 Author Share Posted June 13, 2006 http://www.grc.com/nat/arp.htmLooks like I was wrong. Reading the above I think it's something like this. Your LAN uses Ethernet packets which encapsulate IP packets. The Ethernet packets contain a MAC address which is the unique address of your network adapter, and as far as the switch or hub is concerned there is no correllation between IP and MAC address. These devices only know about the Ethernet part, and blindly forward packets to the port on which they know that MAC address lives. When Target sends out a packet to Destination, it uses its ARP Cache to get the MAC address of the Destination, places the IP packet for it in the Ethernet packet with this MAC address, and sends it on its way. Destination does a similar thing for sending the data back. When you poison the ARP caches of Target and Destination, you can get them to wrap their IP packets in an Ethernet packet aimed at you. YOUR ARP cache is clean, and contains the correct MAC address for both machines, allowing you to retransmit the packets to their intended recipients, and none would be the wiser. So what it basically boils down to is that ARP poisoning behind a switch is just as easy as behind a hub. And you shouldn't need any specialist big bucks tool to get it going either. Any tool will do. You only need to know the IP and MAC address of the target, the IP and MAC address of the destination (such as the internet gateway) and take it from there. Finding the correct values for those might be trickier behind a switch though. Well that is easy all you use is nmap and for a -sS search I have done that. In wich case I wonder what my teacher was talking about???? Thanks for the in put.... Quote Link to comment Share on other sites More sharing options...
harrison Posted June 13, 2006 Share Posted June 13, 2006 Check out Ettercap and Dsniff. I have used those tool collections on switches before. And of course something like Ethereal is good for analyzing the traffic. Of course, if the router holds on ARP table, you may need to investigate it's ARP lease, otherwise you may find yourself having a difficult time performing a poisoning attack. Quote Link to comment Share on other sites More sharing options...
ben Posted June 13, 2006 Share Posted June 13, 2006 So what it basically boils down to is that ARP poisoning behind a switch is just as easy as behind a hub. And you shouldn't need any specialist big bucks tool to get it going either. Any tool will do. You only need to know the IP and MAC address of the target, the IP and MAC address of the destination (such as the internet gateway) and take it from there. Finding the correct values for those might be trickier behind a switch though. Not exactly. The difference between sniffing a hub and a switch is that a... 1. hub automatically forwards every packet on the network to your computer and then your computer decides whether or not to care about the packets. 2. switch requires the attacker to "tell" the victim's computer that the attacker's computer is actually the default gateway. The attacker's computer must then be set up to forward any received packets (that aren't supposed to end at the attacker's computer) on to the proper destination. Any tool won't do, but, as Harrison said, Dsniff and Ettercap make the job easy. As far as finding the correct "values", that shouldn't be that tough since most systems send out plenty of broadcast messages that anybody can sniff on either a hubbed or a switched network. Ben Quote Link to comment Share on other sites More sharing options...
ben Posted June 13, 2006 Share Posted June 13, 2006 And of course something like Ethereal is good for analyzing the traffic. Ethereal is dead, long live Wireshark. Ben Quote Link to comment Share on other sites More sharing options...
spektormax Posted June 13, 2006 Share Posted June 13, 2006 you, freaken cain&abel will arp poision a switch. The only time that it won't work besides the fact that it won't link wireless to wire or vica vesa, is if you have a staic arp table in the router and in all machines. For larger networks this is quite uncomon and sometimes even inpossible. BUt you can still spoof a mac address anyways so it doesn't provide that much protection. As for overflowing a switch into hub mode, older switches will do that, newer ones I think will jsut be DoSed and nothing will go thru or go thru really slowly during the attack. Quote Link to comment Share on other sites More sharing options...
driveingnow Posted June 14, 2006 Author Share Posted June 14, 2006 And of course something like Ethereal is good for analyzing the traffic. Ethereal is dead, long live Wireshark. Ben I just downloaded wireshark and it looks and works just like ethereal. Quote Link to comment Share on other sites More sharing options...
cooper Posted June 14, 2006 Share Posted June 14, 2006 If that response was serious, you're in need of a beating. Quote Link to comment Share on other sites More sharing options...
stingwray Posted June 14, 2006 Share Posted June 14, 2006 I just downloaded wireshark and it looks and works just like ethereal. Thats because it is almost exactly the same as ethereal, they had to change he name because the project leader left his job and the company he used to work for owned the rights to the ethereal name. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.