lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Apr 12 17:00:24 2006 From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull) Subject: RE: info on ip spoofing please packet sniffs ____on link between the two end points____, and can therefore pretend Ah! Thanks for making that a bit more obvious Neil - much appreciated. Think I might have to go back to school as this happens to me on occasion - misreading I mean. It is abundantly clear to me now. Good stuff. And the extra information is also gratefully acknowledged - cheers for that. >From: "Neil Davis" <rg.viza@...il.com> >To: full-disclosure@...ts.grok.org.uk >Subject: [Full-disclosure] RE: info on ip spoofing please >Date: Wed, 12 Apr 2006 11:42:25 -0400 >MIME-Version: 1.0 >Received: from lists.grok.org.uk ([195.184.125.51]) by >bay0-pamc1-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, >12 Apr 2006 08:43:43 -0700 >Received: from lists.grok.org.uk (localhost [127.0.0.1])by >lists.grok.org.uk (Postfix) with ESMTP id AE80E7DD;Wed, 12 Apr 2006 >16:42:49 +0100 (BST) >Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.229])by >lists.grok.org.uk (Postfix) with ESMTP id A7B0B677for ><full-disclosure@...ts.grok.org.uk>;Wed, 12 Apr 2006 16:42:27 +0100 (BST) >Received: by wproxy.gmail.com with SMTP id i32so1384576wrafor ><full-disclosure@...ts.grok.org.uk>;Wed, 12 Apr 2006 08:42:25 -0700 (PDT) >Received: by 10.65.219.8 with SMTP id w8mr387592qbq;Wed, 12 Apr 2006 >08:42:25 -0700 (PDT) >Received: by 10.64.47.12 with HTTP; Wed, 12 Apr 2006 08:42:25 -0700 (PDT) >X-Message-Info: JGTYoYF78jFkGiOJ/qwyB8exkh6rat0d4W1M0LUp3MU= >X-Original-To: full-disclosure@...ts.grok.org.uk >Delivered-To: full-disclosure@...ts.grok.org.uk >DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; >d=gmail.com;h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;b=lkbk9PFqymmlV3VIdGq0dz8JzRKdS8LSspZLP9F3EMcECrloeraDHaY6R5bQBnc/RGK884eWdDz1B/5bxgkvVvBBCejnpghWI2AYmnOr/f6FW4lckeDRwo3gGimqs392UjxNtqxcMBn3MJeKfsfZC4gBK9bBsQZajVV7VCFSkXw= >X-BeenThere: full-disclosure@...ts.grok.org.uk >X-Mailman-Version: 2.1.5 >Precedence: list >List-Id: An unmoderated mailing list for the discussion of security >issues<full-disclosure.lists.grok.org.uk> >List-Unsubscribe: ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe> >List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> >List-Post: <mailto:full-disclosure@...ts.grok.org.uk> >List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk?subject=help> >List-Subscribe: ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe> >Errors-To: full-disclosure-bounces@...ts.grok.org.uk >Return-Path: full-disclosure-bounces@...ts.grok.org.uk >X-OriginalArrivalTime: 12 Apr 2006 15:43:44.0315 (UTC) >FILETIME=[E15AC8B0:01C65E47] > > > Hello all, > > At > > >http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Technical/Spoofing/default.htm > > > > was this comment :- > > > > QUOTE " > > Examples of spoofing: > > > > man-in-the-middle > > packet sniffs on link between the two end points, and can therefore >pretend > > to be one end of the connection " > > > > My question is How can you sniff packets on a link that your machine is >NOT > > on ie NOT on the same subnet?? > > > > Why am I at a loss to understand this. Is there a command/software that > > allows one to > > say: sniff packets on port x of IP xxx.xxx.xxx.xxx ? > > > > Please put me out of my agony on this. > > Thanks for any info you can give. > > > > > > Ian t >I think you misread the information, this part of it to be exact: >Examples of spoofing: > >man-in-the-middle >packet sniffs ____on link between the two end points____, and can >therefore pretend >to be one end of the connection " > >The answer to your question is you can't. > >You can only do this on a machine that the traffic is flowing through. >Hence the name, "man-in-the-middle". > >You need to comprimise a machine between the endpoints, such as a >firewall, router, or proxy, or one of the endpoints themselves so you >can sourceroute through a machine of your choosing (though if you have >comprimised an endpoint, this isn't necessary). You then run ettercap, >and can even read their SSL/SSH conversations and change data. >man-in-the-middle is a wicked attack. It's also fairly difficult to >get there, if the machines concerned are patched, up to date, and >securely configured, as so often they are not. > >On ms proxy server, all you need to do is comprimise the proxy server. >The session ID's, if on query string, are logged, even when they are >via ssl, you can easily hijack a session that way, simply by looking >at the proxy log's recent entries, in a lot of cases (note: I am not >sure if ms proxy server does this on more recent versions, and I am >sure it's possible to turn this logging off). No packet analysis >necessary. > >-Viz > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://join.msn.com/messenger/overview
Powered by blists - more mailing lists