Jump to content

Switch Sniffing


driveingnow
 Share

Recommended Posts

I am takeing a network Security class (Really I am) and my teacher was talking about using swith sniffer to see who was doing what on the network.

The only thing is he uses a corp. program that cost BIG!!! bucks.

I was wondering if there was any free (or open source) program that would let me do the same on my own network at home.

I promis I am not a hacker looking to do wrong I just want to learn how hackers think so I can learn how to stop them.

Thanks for any and all help.....

Link to comment
Share on other sites

I'm thinking he's using a darknet of some kind...

here I am trying to be serious and wanting to help people and your being a smart alick.

Please if your not going to post the answer or help in some way just don't bother posting at all.

(On this post, I don't prosume to set the rules for the board I am just asking)

Link to comment
Share on other sites

Can you even sniff a switch? Isn't the whole idea that you only see the traffic that is actually directed at your machine? With ARP poisoning you can get the other person's traffic sent to you, but you wouldn't be able to forward it to the original recipient since you'd have to go through your now poisoned device.

Link to comment
Share on other sites

But wouldn't the switch administrator deliberately have to enable that? I can't imagine there being a good reason to allow a user to do such a thing at his or her own discretion.

Link to comment
Share on other sites

I'm thinking he's using a darknet of some kind...

here I am trying to be serious and wanting to help people and your being a smart alick.

Please if your not going to post the answer or help in some way just don't bother posting at all.

(On this post, I don't prosume to set the rules for the board I am just asking)

That was a seriuse answer... it might also have been a honeynet (yes, this is a seriuse answer). Now who looks like a fool?

Link to comment
Share on other sites

I'm thinking he's using a darknet of some kind...

here I am trying to be serious and wanting to help people and your being a smart alick.

Please if your not going to post the answer or help in some way just don't bother posting at all.

(On this post, I don't prosume to set the rules for the board I am just asking)

That was a seriuse answer... it might also have been a honeynet (yes, this is a seriuse answer). Now who looks like a fool?

Ok sorry about that but just the way that was worded I thought you were saying that even though I said I was using it for good I really wanted to use it for bad.

However in reading up on Darknets, you are sort of right the only differance is that know one else is on my network but me. However I have two computers on the network. One for spying on the other and one to login to aim yahoo msn mb ect. Just to see what I get.

My apolagies for before. I just missunderstood you I had not heard of a Darknet before.

However know body has really answered my Q?. So if any one knows of a free Switch Sniffer please let me know...

Thanks

Link to comment
Share on other sites

However know body has really answered my Q?. So if any one knows of a free Switch Sniffer please let me know...

I still don't really believe it can be done. Unless both machines are attached to the same port of the switch using a hub, or by emulating a second instance of a computer running on the same machine as is possible with for instance VMWare. In both cases a regular packet sniffer would be able to get all the data.

Do you have a name for the pricy software that you mentioned in your opening post?

Link to comment
Share on other sites

if it's a managed switch most of them have an option to set a port as "monitor port" at least i can do thet with my hp procurve switch. You can set the ports that you want to monitor the traffic going through and then the switch will also send that traffic of those ports to your monitor port so you can sniff it.

Link to comment
Share on other sites

if it's a managed switch most of them have an option to set a port as "monitor port" at least i can do thet with my hp procurve switch. You can set the ports that you want to monitor the traffic going through and then the switch will also send that traffic of those ports to your monitor port so you can sniff it.

That's exactly what I meant -- the only difference is it doesn't always take an admin to enable the option.

Link to comment
Share on other sites

Or a big pricy tool to turn it on.

I'm assuming you're trying to do something in an environment that was set up by someone capable who (sensibly) assumed this environment to be hostile. So you don't get the monitor port unless you get the switch to activate it for you, like Manuel suggests.

In such a scenario, I don't see how you can sniff off of a switch. What you guys are suggesting is to get the switch to play hub (from your p.o.v.). In that case this thread has been misnamed and the only tool you need is any basic sniffer.

Link to comment
Share on other sites

http://www.grc.com/nat/arp.htm

Looks like I was wrong. Reading the above I think it's something like this.

Your LAN uses Ethernet packets which encapsulate IP packets. The Ethernet packets contain a MAC address which is the unique address of your network adapter, and as far as the switch or hub is concerned there is no correllation between IP and MAC address. These devices only know about the Ethernet part, and blindly forward packets to the port on which they know that MAC address lives.

When Target sends out a packet to Destination, it uses its ARP Cache to get the MAC address of the Destination, places the IP packet for it in the Ethernet packet with this MAC address, and sends it on its way. Destination does a similar thing for sending the data back.

When you poison the ARP caches of Target and Destination, you can get them to wrap their IP packets in an Ethernet packet aimed at you. YOUR ARP cache is clean, and contains the correct MAC address for both machines, allowing you to retransmit the packets to their intended recipients, and none would be the wiser.

So what it basically boils down to is that ARP poisoning behind a switch is just as easy as behind a hub. And you shouldn't need any specialist big bucks tool to get it going either. Any tool will do. You only need to know the IP and MAC address of the target, the IP and MAC address of the destination (such as the internet gateway) and take it from there. Finding the correct values for those might be trickier behind a switch though.

Link to comment
Share on other sites

http://www.grc.com/nat/arp.htm

Looks like I was wrong. Reading the above I think it's something like this.

Your LAN uses Ethernet packets which encapsulate IP packets. The Ethernet packets contain a MAC address which is the unique address of your network adapter, and as far as the switch or hub is concerned there is no correllation between IP and MAC address. These devices only know about the Ethernet part, and blindly forward packets to the port on which they know that MAC address lives.

When Target sends out a packet to Destination, it uses its ARP Cache to get the MAC address of the Destination, places the IP packet for it in the Ethernet packet with this MAC address, and sends it on its way. Destination does a similar thing for sending the data back.

When you poison the ARP caches of Target and Destination, you can get them to wrap their IP packets in an Ethernet packet aimed at you. YOUR ARP cache is clean, and contains the correct MAC address for both machines, allowing you to retransmit the packets to their intended recipients, and none would be the wiser.

So what it basically boils down to is that ARP poisoning behind a switch is just as easy as behind a hub. And you shouldn't need any specialist big bucks tool to get it going either. Any tool will do. You only need to know the IP and MAC address of the target, the IP and MAC address of the destination (such as the internet gateway) and take it from there. Finding the correct values for those might be trickier behind a switch though.

Well that is easy all you use is nmap and for a -sS search I have done that.

In wich case I wonder what my teacher was talking about????

Thanks for the in put....

Link to comment
Share on other sites

Check out Ettercap and Dsniff. I have used those tool collections on switches before. And of course something like Ethereal is good for analyzing the traffic.

Of course, if the router holds on ARP table, you may need to investigate it's ARP lease, otherwise you may find yourself having a difficult time performing a poisoning attack.

Link to comment
Share on other sites

So what it basically boils down to is that ARP poisoning behind a switch is just as easy as behind a hub. And you shouldn't need any specialist big bucks tool to get it going either. Any tool will do. You only need to know the IP and MAC address of the target, the IP and MAC address of the destination (such as the internet gateway) and take it from there. Finding the correct values for those might be trickier behind a switch though.

Not exactly. The difference between sniffing a hub and a switch is that a...

1. hub automatically forwards every packet on the network to your computer and then your computer decides whether or not to care about the packets.

2. switch requires the attacker to "tell" the victim's computer that the attacker's computer is actually the default gateway. The attacker's computer must then be set up to forward any received packets (that aren't supposed to end at the attacker's computer) on to the proper destination.

Any tool won't do, but, as Harrison said, Dsniff and Ettercap make the job easy.

As far as finding the correct "values", that shouldn't be that tough since most systems send out plenty of broadcast messages that anybody can sniff on either a hubbed or a switched network.

Ben

Link to comment
Share on other sites

you, freaken cain&abel will arp poision a switch. The only time that it won't work besides the fact that it won't link wireless to wire or vica vesa, is if you have a staic arp table in the router and in all machines. For larger networks this is quite uncomon and sometimes even inpossible. BUt you can still spoof a mac address anyways so it doesn't provide that much protection. As for overflowing a switch into hub mode, older switches will do that, newer ones I think will jsut be DoSed and nothing will go thru or go thru really slowly during the attack.

Link to comment
Share on other sites

I just downloaded wireshark and it looks and works just like ethereal.

Thats because it is almost exactly the same as ethereal, they had to change he name because the project leader left his job and the company he used to work for owned the rights to the ethereal name.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...