hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Networking Security / Firewall / IDS / VPN / Routers
giany
Jun 28 2005, 10:12 PM
Hello,

Did anyone managed to sniff through a cisco router using a gre tunnel?
myth
Jun 29 2005, 12:20 AM
Ettercap, atleast the linux version, has a plugin for that. I havent tried it yet, havent found the environment for it... Also, for the password sniffing, i prefer to use a tool like dsniff that i can control easier, and if it goes to shite, doesnt kill the lan till the next arp request reply tournament.

QUOTE
      Remote  traffic  sniffing  through  tunnels and route mangling: You can play with
      linux cooked interfaces or use the integrated plugin to sniff tunneled or  route-
      mangled remote connections and perform mitm attacks on them.


CODE
[0]       gre_relay  1.0  Tunnel broker for redirected GRE tunnels


QUOTE
      gre_relay

              This plugin can be used to sniff GRE-redirected remote traffic.  The basic
              idea  is  to  create  a  GRE tunnel that sends all the traffic on a router
              interface to the ettercap machine. The plugin will send back the GRE pack-
              ets  to  the  router,  after ettercap "manipulation" (you can use "active"
              plugins such as smb_down, ssh decryption, filters,  etc...  on  redirected
              traffic)  It needs a "fake" host where the traffic has to be redirected to
              (to avoid kernel's responses). The "fake" IP will be the tunnel  endpoint.
              Gre_relay  plugin  will impersonate the "fake" host.  To find an unused IP
              address for the "fake" host you can use  find_ip  plugin.  Based  on  the
              original  Tunnelx  technique  by  Anthony  C.  Zboralski  published  in
              http://www.phrack.org/show.php?p=56&a=10 by HERT.


http://www.phrack.org/show.php?p=56&a=10 <- Check that link, quiet a good how-to, was of interest to me...
easternerd
Jun 29 2005, 06:53 AM
One more plus point is that it can skim throught all those SSH packets too.
giany
Jun 29 2005, 08:39 AM
QUOTE
http://www.phrack.org/show.php?p=56&a=10 <- Check that link, quiet a good how-to, was of interest to me...


I`ve been testing this.. and others..but when you launch the sniff on the linux end after a few seconds you can`t sniff no more..the linux server gets ddosed..I couldn`t use that tunnelx program.. you need a very stable server and bandwidth as well. The problem with this kind of attack is to redirect only a specific kind of traffic not all..and when it gets to the linux/freebsd/netbsd server to redirect it back to the cisco.. or to other server which is a little bit difficult to do neither source routing or iptables tricks worked for me..I`ll take a look at the gre_relay program..

Thx for the tips..
skydance
Jul 3 2005, 06:25 PM
i didnt try it but ive read about that in some hacking book.... basically you make a GRE tunnel between the cisco you want to sniff and another cisco at your place wired up with a hub and a machine with ethereal...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.