| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Apr 12 23:50:41 2006 From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull) Subject: RE: info on ip spoofing please very informative - thanks, time for another google or two methinks >From: "Arley Barros Leal" <arley.leal@...ae.com> >To: "Neil Davis" <rg.viza@...il.com>,<full-disclosure@...ts.grok.org.uk> >Subject: RE: [Full-disclosure] RE: info on ip spoofing please >Date: Wed, 12 Apr 2006 18:34:18 +0100 >MIME-Version: 1.0 >Received: from lists.grok.org.uk ([195.184.125.51]) by >bay0-pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, >12 Apr 2006 10:35:44 -0700 >Received: from lists.grok.org.uk (localhost [127.0.0.1])by >lists.grok.org.uk (Postfix) with ESMTP id 8F5847F0;Wed, 12 Apr 2006 >18:34:48 +0100 (BST) >Received: from lx1ims003.optimus.pt (unknown [62.169.69.2])by >lists.grok.org.uk (Postfix) with SMTP id 1827665Bfor ><full-disclosure@...ts.grok.org.uk>;Wed, 12 Apr 2006 18:34:24 +0100 (BST) >Received: from lx1exc2k002.optimus.pt ([172.1.50.60]) by >lx1ims003.optimus.ptwith Microsoft SMTPSVC(6.0.3790.1830); Wed, 12 Apr 2006 >18:34:22 +0100 >X-Message-Info: JGTYoYF78jFmtBMFo4GmdOynvjSOVJHCmW32J3J6SBs= >X-Original-To: full-disclosure@...ts.grok.org.uk >Delivered-To: full-disclosure@...ts.grok.org.uk >X-MimeOLE: Produced By Microsoft Exchange V6.5 >Content-class: urn:content-classes:message >X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Full-disclosure] RE: >info on ip spoofing please >Thread-Index: AcZeR9NaK93s4y6ITICFJFdEY+MvWwACqnkg >X-OriginalArrivalTime: 12 Apr 2006 17:34:22.0714 >(UTC)FILETIME=[562615A0:01C65E57] >X-BeenThere: full-disclosure@...ts.grok.org.uk >X-Mailman-Version: 2.1.5 >Precedence: list >List-Id: An unmoderated mailing list for the discussion of security >issues<full-disclosure.lists.grok.org.uk> >List-Unsubscribe: ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe> >List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> >List-Post: <mailto:full-disclosure@...ts.grok.org.uk> >List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk?subject=help> >List-Subscribe: ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe> >Errors-To: full-disclosure-bounces@...ts.grok.org.uk >Return-Path: full-disclosure-bounces@...ts.grok.org.uk > >My 2 cents... > >Using ARP Cache Poisoning can actually force traffic to flow trough your >host, >The man may get into the middle at any time in this scenario :-) ARP Cache >Poisoning/CAM Floodind/DHCP,BOOTP Spoofing is old school, but some, still >very >effective on most of today's networks. You may wish to play around with >Cain&Able, dsniff, hunt etc.. > >Some not so old attacks explore protocols like STP/VTP/DTP/HSRP. One may >use >Vlan hoping/jumping attacks to trunk traffic from different VLANs, this >will >let the attacker sniff traffic from remote broadcast domains as far as they >participate on the same VTP domain. > >Cheers.. > > >-----Original Message----- >From: full-disclosure-bounces@...ts.grok.org.uk >[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Neil Davis >Sent: quarta-feira, 12 de Abril de 2006 16:42 >To: full-disclosure@...ts.grok.org.uk >Subject: [Full-disclosure] RE: info on ip spoofing please > > > Hello all, > > At > > http://www.iss.net/security_center/advice/Underground/Hacking/Methods/ > > Technical/Spoofing/default.htm > > > > was this comment :- > > > > QUOTE " > > Examples of spoofing: > > > > man-in-the-middle > > packet sniffs on link between the two end points, and can therefore > > pretend to be one end of the connection " > > > > My question is How can you sniff packets on a link that your machine > > is NOT on ie NOT on the same subnet?? > > > > Why am I at a loss to understand this. Is there a command/software > > that allows one to > > say: sniff packets on port x of IP xxx.xxx.xxx.xxx ? > > > > Please put me out of my agony on this. > > Thanks for any info you can give. > > > > > > Ian t >I think you misread the information, this part of it to be exact: >Examples of spoofing: > >man-in-the-middle >packet sniffs ____on link between the two end points____, and can therefore >pretend to be one end of the connection " > >The answer to your question is you can't. > >You can only do this on a machine that the traffic is flowing through. >Hence the name, "man-in-the-middle". > >You need to comprimise a machine between the endpoints, such as a firewall, >router, or proxy, or one of the endpoints themselves so you can sourceroute >through a machine of your choosing (though if you have comprimised an >endpoint, this isn't necessary). You then run ettercap, and can even read >their SSL/SSH conversations and change data. >man-in-the-middle is a wicked attack. It's also fairly difficult to get >there, >if the machines concerned are patched, up to date, and securely configured, >as >so often they are not. > >On ms proxy server, all you need to do is comprimise the proxy server. >The session ID's, if on query string, are logged, even when they are via >ssl, >you can easily hijack a session that way, simply by looking at the proxy >log's >recent entries, in a lot of cases (note: I am not sure if ms proxy server >does >this on more recent versions, and I am sure it's possible to turn this >logging >off). No packet analysis necessary. > >-Viz > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ ><< smime.p7s >> >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _________________________________________________________________ Are you using the latest version of MSN Messenger? Download MSN Messenger 7.5 today! http://join.msn.com/messenger/overview
Powered by blists - more mailing lists