lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed Apr 12 17:00:24 2006
From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull)
Subject: RE: info on ip spoofing please

packet sniffs ____on link between the two end points____, and can
therefore pretend

Ah! Thanks for making that a bit more obvious Neil - much appreciated. Think 
I might have to go back to school as this happens to me on occasion - 
misreading I mean. It is abundantly clear to me now. Good stuff.

And the extra information is also gratefully acknowledged - cheers for that.


>From: "Neil Davis" <rg.viza@...il.com>
>To: full-disclosure@...ts.grok.org.uk
>Subject: [Full-disclosure] RE: info on ip spoofing please
>Date: Wed, 12 Apr 2006 11:42:25 -0400
>MIME-Version: 1.0
>Received: from lists.grok.org.uk ([195.184.125.51]) by 
>bay0-pamc1-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 
>12 Apr 2006 08:43:43 -0700
>Received: from lists.grok.org.uk (localhost [127.0.0.1])by 
>lists.grok.org.uk (Postfix) with ESMTP id AE80E7DD;Wed, 12 Apr 2006 
>16:42:49 +0100 (BST)
>Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.229])by 
>lists.grok.org.uk (Postfix) with ESMTP id A7B0B677for 
><full-disclosure@...ts.grok.org.uk>;Wed, 12 Apr 2006 16:42:27 +0100 (BST)
>Received: by wproxy.gmail.com with SMTP id i32so1384576wrafor 
><full-disclosure@...ts.grok.org.uk>;Wed, 12 Apr 2006 08:42:25 -0700 (PDT)
>Received: by 10.65.219.8 with SMTP id w8mr387592qbq;Wed, 12 Apr 2006 
>08:42:25 -0700 (PDT)
>Received: by 10.64.47.12 with HTTP; Wed, 12 Apr 2006 08:42:25 -0700 (PDT)
>X-Message-Info: JGTYoYF78jFkGiOJ/qwyB8exkh6rat0d4W1M0LUp3MU=
>X-Original-To: full-disclosure@...ts.grok.org.uk
>Delivered-To: full-disclosure@...ts.grok.org.uk
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; 
>d=gmail.com;h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;b=lkbk9PFqymmlV3VIdGq0dz8JzRKdS8LSspZLP9F3EMcECrloeraDHaY6R5bQBnc/RGK884eWdDz1B/5bxgkvVvBBCejnpghWI2AYmnOr/f6FW4lckeDRwo3gGimqs392UjxNtqxcMBn3MJeKfsfZC4gBK9bBsQZajVV7VCFSkXw=
>X-BeenThere: full-disclosure@...ts.grok.org.uk
>X-Mailman-Version: 2.1.5
>Precedence: list
>List-Id: An unmoderated mailing list for the discussion of security 
>issues<full-disclosure.lists.grok.org.uk>
>List-Unsubscribe: 
><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe>
>List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
>List-Post: <mailto:full-disclosure@...ts.grok.org.uk>
>List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk?subject=help>
>List-Subscribe: 
><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe>
>Errors-To: full-disclosure-bounces@...ts.grok.org.uk
>Return-Path: full-disclosure-bounces@...ts.grok.org.uk
>X-OriginalArrivalTime: 12 Apr 2006 15:43:44.0315 (UTC) 
>FILETIME=[E15AC8B0:01C65E47]
>
> >   Hello all,
> > At
> > 
>http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Spoofing/default.htm
> >
> > was this comment :-
> >
> > QUOTE "
> > Examples of spoofing:
> >
> > man-in-the-middle
> > packet sniffs on link between the two end points, and can therefore 
>pretend
> > to be one end of the connection "
> >
> > My question is How can you sniff packets on a link that your machine is 
>NOT
> > on ie NOT on the same subnet??
> >
> > Why am I at a loss to understand this. Is there a command/software that
> > allows one to
> > say: sniff packets on port x of IP xxx.xxx.xxx.xxx ?
> >
> > Please put me out of my agony on this.
> > Thanks for any info you can give.
> >
> >
> > Ian t
>I think you misread the information, this part of it to be exact:
>Examples of spoofing:
>
>man-in-the-middle
>packet sniffs ____on link between the two end points____, and can
>therefore pretend
>to be one end of the connection "
>
>The answer to your question is you can't.
>
>You can only do this on a machine that the traffic is flowing through.
>Hence the name, "man-in-the-middle".
>
>You need to comprimise a machine between the endpoints, such as a
>firewall, router, or proxy, or one of the endpoints themselves so you
>can sourceroute through a machine of your choosing (though if you have
>comprimised an endpoint, this isn't necessary). You then run ettercap,
>and can even read their SSL/SSH conversations and change data.
>man-in-the-middle is a wicked attack. It's also fairly difficult to
>get there, if the machines concerned are patched, up to date, and
>securely configured, as so often they are not.
>
>On ms proxy server, all you need to do is comprimise the proxy server.
>The session ID's, if on query string, are logged, even when they are
>via ssl, you can easily hijack a session that way, simply by looking
>at the proxy log's recent entries, in a lot of cases (note: I am not
>sure if ms proxy server does this on more recent versions, and I am
>sure it's possible to turn this logging off). No packet analysis
>necessary.
>
>-Viz
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today! http://join.msn.com/messenger/overview

Powered by blists - more mailing lists