[gman24]

Wasn't sure where to put this, since it deals with routers and switches put it here.

For this, the cain part of cain and abel will be used. For those who don't have it, it can be downloaded here.
http://www.oxid.it/cain.html


Sniffing:

First, reconnaissance.

- Find the router this is usually a.b.c.1
- Find your target computer
- Start the sniffer and have Cain scan your segment. Cain can perform tests to see if the ip is a switch or router
- Watch the arp request interval, this will need to be set later.

Second, setup.

- Goto the apr tab under sniffer
- Hit the plus sign, select target computer and the router. Hit ok.
- Goto configure, hit use spoofed ip and mac address (if you are sniffing more than one computer this is smart, otherwise the MAC 00:11:22:33:44 looks suspicious.)
- Remember the arp requests, change poison arp caches to one less than the interval you recorded.

Third, Sniffing.

- Run ethereal or some other sniffer, start sniffing.
- Hit the poison icon (radiation looking thing in the bar).
- When your done stop poisoning.


Some uses other than sniffing:

- Basically the system poisoning acts as the the router between the two systems, a program can be created to change packets as they come through the system.
- Another use, cain has the option for it, APR-DNS. The system is in the middle, DNS requests can be intercepted, for example www.yahoo.com and route it to another system. This system could contain a fake webpage with a fake login that captures passwords.
-Session hijacking


Detection:

-One detection method is for those guys that are greedy, they want all the traffic.
The traffic will look like this from the router or switch side (If a sniffer is placed between the router or switch and the rest of the network this can be seen):
192.168.0.2 is at AA:BB:CC:DD:EE
192.168.0.3 is at AA:BB:CC:DD:EE
192.168.0.4 is at AA:BB:CC:DD:EE
192.168.0.5 is at AA:BB:CC:DD:EE
192.168.0.6 is at AA:BB:CC:DD:EE
192.168.0.7 is at AA:BB:CC:DD:EE
etc.

-if a MAC is 00:11:22:33:44. It's default with cain.

- If a computer is sending xxx.xxx.xxx.xxx is at AA:BB:CC:DD:EE constantly before being asked

-Multiple arp entries for one MAC EX: 192.168.0.3 @ AA:BB:CC:DD:EE and 192.168.0.4 @ AA:BB:CC:DD:EE

Possible location detection
The MAC and ip can be spoofed, but only within thier subnet. To find the attacker move the subnet till a place is found where the attack switches to the other side of the net. (This has not been tested just something I thought might work, if someone wants to test and reply please do)


If I missed anything or anything looks wrong feel free to point it out.


- Tyler Branch

[Fractured]

this is good thanks. ive been looking for something like this.

so does this mean that if you are just doing a regular arp poisoning sniff against one person, while spoofing a legit looking MAC, it will be hard to detect someone doing this?

how do you make it so it does not constantly send arp relies without being asked?

what would a successful capture look like?

[gman24]

Fractured, on Feb 3 2004, 08:07 PM, said:

this is good thanks.� ive been looking for something like this.

1) so does this mean that if you are just doing a regular arp poisoning sniff against one person, while spoofing a legit looking MAC, it will be hard to detect someone doing this?

2.) how do you make it so it does not constantly send arp relies without being asked?

3. ) what would a successful capture look like?

1.) Yes, it will be harder.


2.) You can't (Edit: as far as I know), that's what arp poisoning is. If the switch or router sends a ask broadcast the target computer will reply.

3.)

Your sniffer, ethereal or other will show a surge of packets

I included a screenshot, the area circled will show activity

Idle will say poisoning

Attached File(s)

•  examplee.JPG (128.09K)
  Number of downloads: 125

[Fractured]

Thanks for the nice response.

One other thing.

What kind of damages to the network itself could happen using this procedure? And how could they possibily be avoided/minimized?

[gman24]

Fractured, on Feb 4 2004, 03:37 AM, said:

Thanks for the nice response.

One other thing.

What kind of damages to the network itself could happen using this procedure?� And how could they possibily be avoided/minimized?

No damage to the network from the poisoning.

You can incur damage to your computer if you are in the middle of too many hosts. Your computer attempting to route too many packets will get a DOS. This can be fixed by rebooting, can be avoided by figuring out your limit. Take into account how much traffic each host has.


Another problem is with DNS spoofing, not the poisoning itself.

If you spoof a address, that address may be stored on the computer until they restart. For example you route www.yahoo.com to 192.168.0.2. The target goes there, then you later turn off your computer. The target computer will be looking at 192.168.0.2 not the yahoo ip. A fix to this is after spoofing and getting what you want, respoof it to the original site and wait for a second request (This doesn't always work). Another fix is to reboot target computer (This has always worked for me).

[st3@1th]

It takes a bit of skill to do this right as its easy to saturate the switch with even a small number pcs, making the network almost unusable.

[billkennedy32]

ettercap is the best for this, works well.

[st3@1th]

MrRobot, on Feb 9 2004, 01:31 PM, said:

Now my question, My lan is behind a router/switch then connects to the inet.

Could this attack work the same? I assume it world.
But how woudl you detect this type of attack on your router/switch?
I know there's a logging feature for the switch/router but what should one look for? thansk

What do you mean? Doing it over the internet? That would not work, and routers have nothing to do with it as they primarily deal with IP tables not MAC tables.

[billkennedy32]

It will work with your public subnet on inet.

[billkennedy32]

http://www.cs.sjsu.e...ilky_report.pdf

[st3@1th]

No you're wrong, this will only work on an ethernet network within the same broadcast domain.