lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed Apr 12 23:50:41 2006
From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull)
Subject: RE: info on ip spoofing please


very informative - thanks, time for another google or two methinks

>From: "Arley Barros Leal" <arley.leal@...ae.com>
>To: "Neil Davis" <rg.viza@...il.com>,<full-disclosure@...ts.grok.org.uk>
>Subject: RE: [Full-disclosure] RE: info on ip spoofing please
>Date: Wed, 12 Apr 2006 18:34:18 +0100
>MIME-Version: 1.0
>Received: from lists.grok.org.uk ([195.184.125.51]) by 
>bay0-pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 
>12 Apr 2006 10:35:44 -0700
>Received: from lists.grok.org.uk (localhost [127.0.0.1])by 
>lists.grok.org.uk (Postfix) with ESMTP id 8F5847F0;Wed, 12 Apr 2006 
>18:34:48 +0100 (BST)
>Received: from lx1ims003.optimus.pt (unknown [62.169.69.2])by 
>lists.grok.org.uk (Postfix) with SMTP id 1827665Bfor 
><full-disclosure@...ts.grok.org.uk>;Wed, 12 Apr 2006 18:34:24 +0100 (BST)
>Received: from lx1exc2k002.optimus.pt ([172.1.50.60]) by 
>lx1ims003.optimus.ptwith Microsoft SMTPSVC(6.0.3790.1830); Wed, 12 Apr 2006 
>18:34:22 +0100
>X-Message-Info: JGTYoYF78jFmtBMFo4GmdOynvjSOVJHCmW32J3J6SBs=
>X-Original-To: full-disclosure@...ts.grok.org.uk
>Delivered-To: full-disclosure@...ts.grok.org.uk
>X-MimeOLE: Produced By Microsoft Exchange V6.5
>Content-class: urn:content-classes:message
>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Full-disclosure] RE: 
>info on ip spoofing please
>Thread-Index: AcZeR9NaK93s4y6ITICFJFdEY+MvWwACqnkg
>X-OriginalArrivalTime: 12 Apr 2006 17:34:22.0714 
>(UTC)FILETIME=[562615A0:01C65E57]
>X-BeenThere: full-disclosure@...ts.grok.org.uk
>X-Mailman-Version: 2.1.5
>Precedence: list
>List-Id: An unmoderated mailing list for the discussion of security 
>issues<full-disclosure.lists.grok.org.uk>
>List-Unsubscribe: 
><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe>
>List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
>List-Post: <mailto:full-disclosure@...ts.grok.org.uk>
>List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk?subject=help>
>List-Subscribe: 
><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe>
>Errors-To: full-disclosure-bounces@...ts.grok.org.uk
>Return-Path: full-disclosure-bounces@...ts.grok.org.uk
>
>My 2 cents...
>
>Using ARP Cache Poisoning can actually force traffic to flow trough your 
>host,
>The man may get into the middle at any time in this scenario :-) ARP Cache
>Poisoning/CAM Floodind/DHCP,BOOTP Spoofing is old school, but some, still 
>very
>effective on most of today's networks. You may wish to play around with
>Cain&Able, dsniff, hunt etc..
>
>Some not so old attacks explore protocols like STP/VTP/DTP/HSRP. One may 
>use
>Vlan hoping/jumping attacks to trunk traffic from different VLANs, this 
>will
>let the attacker sniff traffic from remote broadcast domains as far as they
>participate on the same VTP domain.
>
>Cheers..
>
>
>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk
>[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Neil Davis
>Sent: quarta-feira, 12 de Abril de 2006 16:42
>To: full-disclosure@...ts.grok.org.uk
>Subject: [Full-disclosure] RE: info on ip spoofing please
>
> >   Hello all,
> > At
> > http://www.iss.net/security_center/advice/Underground/Hacking/Methods/
> > Technical/Spoofing/default.htm
> >
> > was this comment :-
> >
> > QUOTE "
> > Examples of spoofing:
> >
> > man-in-the-middle
> > packet sniffs on link between the two end points, and can therefore
> > pretend to be one end of the connection "
> >
> > My question is How can you sniff packets on a link that your machine
> > is NOT on ie NOT on the same subnet??
> >
> > Why am I at a loss to understand this. Is there a command/software
> > that allows one to
> > say: sniff packets on port x of IP xxx.xxx.xxx.xxx ?
> >
> > Please put me out of my agony on this.
> > Thanks for any info you can give.
> >
> >
> > Ian t
>I think you misread the information, this part of it to be exact:
>Examples of spoofing:
>
>man-in-the-middle
>packet sniffs ____on link between the two end points____, and can therefore
>pretend to be one end of the connection "
>
>The answer to your question is you can't.
>
>You can only do this on a machine that the traffic is flowing through.
>Hence the name, "man-in-the-middle".
>
>You need to comprimise a machine between the endpoints, such as a firewall,
>router, or proxy, or one of the endpoints themselves so you can sourceroute
>through a machine of your choosing (though if you have comprimised an
>endpoint, this isn't necessary). You then run ettercap, and can even read
>their SSL/SSH conversations and change data.
>man-in-the-middle is a wicked attack. It's also fairly difficult to get 
>there,
>if the machines concerned are patched, up to date, and securely configured, 
>as
>so often they are not.
>
>On ms proxy server, all you need to do is comprimise the proxy server.
>The session ID's, if on query string, are logged, even when they are via 
>ssl,
>you can easily hijack a session that way, simply by looking at the proxy 
>log's
>recent entries, in a lot of cases (note: I am not sure if ms proxy server 
>does
>this on more recent versions, and I am sure it's possible to turn this 
>logging
>off). No packet analysis necessary.
>
>-Viz
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/


><< smime.p7s >>




>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today! http://join.msn.com/messenger/overview

Powered by blists - more mailing lists