lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed Apr 12 23:50:41 2006
From: ian.t7 at (Ian stuart Turnbull)
Subject: RE: info on ip spoofing please

very informative - thanks, time for another google or two methinks

>From: "Arley Barros Leal" <>
>To: "Neil Davis" <>,<>
>Subject: RE: [Full-disclosure] RE: info on ip spoofing please
>Date: Wed, 12 Apr 2006 18:34:18 +0100
>MIME-Version: 1.0
>Received: from ([]) by 
> with Microsoft SMTPSVC(6.0.3790.1830); Wed, 
>12 Apr 2006 10:35:44 -0700
>Received: from (localhost [])by 
> (Postfix) with ESMTP id 8F5847F0;Wed, 12 Apr 2006 
>18:34:48 +0100 (BST)
>Received: from (unknown [])by 
> (Postfix) with SMTP id 1827665Bfor 
><>;Wed, 12 Apr 2006 18:34:24 +0100 (BST)
>Received: from ([]) by 
>lx1ims003.optimus.ptwith Microsoft SMTPSVC(6.0.3790.1830); Wed, 12 Apr 2006 
>18:34:22 +0100
>X-Message-Info: JGTYoYF78jFmtBMFo4GmdOynvjSOVJHCmW32J3J6SBs=
>X-MimeOLE: Produced By Microsoft Exchange V6.5
>Content-class: urn:content-classes:message
>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Full-disclosure] RE: 
>info on ip spoofing please
>Thread-Index: AcZeR9NaK93s4y6ITICFJFdEY+MvWwACqnkg
>X-OriginalArrivalTime: 12 Apr 2006 17:34:22.0714 
>X-Mailman-Version: 2.1.5
>Precedence: list
>List-Id: An unmoderated mailing list for the discussion of security 
>List-Archive: <>
>List-Post: <>
>List-Help: <>
>My 2 cents...
>Using ARP Cache Poisoning can actually force traffic to flow trough your 
>The man may get into the middle at any time in this scenario :-) ARP Cache
>Poisoning/CAM Floodind/DHCP,BOOTP Spoofing is old school, but some, still 
>effective on most of today's networks. You may wish to play around with
>Cain&Able, dsniff, hunt etc..
>Some not so old attacks explore protocols like STP/VTP/DTP/HSRP. One may 
>Vlan hoping/jumping attacks to trunk traffic from different VLANs, this 
>let the attacker sniff traffic from remote broadcast domains as far as they
>participate on the same VTP domain.
>-----Original Message-----
>[] On Behalf Of Neil Davis
>Sent: quarta-feira, 12 de Abril de 2006 16:42
>Subject: [Full-disclosure] RE: info on ip spoofing please
> >   Hello all,
> > At
> >
> > Technical/Spoofing/default.htm
> >
> > was this comment :-
> >
> > QUOTE "
> > Examples of spoofing:
> >
> > man-in-the-middle
> > packet sniffs on link between the two end points, and can therefore
> > pretend to be one end of the connection "
> >
> > My question is How can you sniff packets on a link that your machine
> > is NOT on ie NOT on the same subnet??
> >
> > Why am I at a loss to understand this. Is there a command/software
> > that allows one to
> > say: sniff packets on port x of IP ?
> >
> > Please put me out of my agony on this.
> > Thanks for any info you can give.
> >
> >
> > Ian t
>I think you misread the information, this part of it to be exact:
>Examples of spoofing:
>packet sniffs ____on link between the two end points____, and can therefore
>pretend to be one end of the connection "
>The answer to your question is you can't.
>You can only do this on a machine that the traffic is flowing through.
>Hence the name, "man-in-the-middle".
>You need to comprimise a machine between the endpoints, such as a firewall,
>router, or proxy, or one of the endpoints themselves so you can sourceroute
>through a machine of your choosing (though if you have comprimised an
>endpoint, this isn't necessary). You then run ettercap, and can even read
>their SSL/SSH conversations and change data.
>man-in-the-middle is a wicked attack. It's also fairly difficult to get 
>if the machines concerned are patched, up to date, and securely configured, 
>so often they are not.
>On ms proxy server, all you need to do is comprimise the proxy server.
>The session ID's, if on query string, are logged, even when they are via 
>you can easily hijack a session that way, simply by looking at the proxy 
>recent entries, in a lot of cases (note: I am not sure if ms proxy server 
>this on more recent versions, and I am sure it's possible to turn this 
>off). No packet analysis necessary.
>Full-Disclosure - We believe in it.
>Hosted and sponsored by Secunia -

><< smime.p7s >>

>Full-Disclosure - We believe in it.
>Hosted and sponsored by Secunia -

Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today!

Powered by blists - more mailing lists