Loading
SwitchSniff
For those who think switched Ethernet environments are sniff-proof, the author offers this warning.
The reader is referred here to an earlier article for the basics of sniffer detection. When sniffers are working on switches, the chances of detecting them are higher. In such a scenario the sniffer is not a passive device; it performs certain activities by which it can be detected.
ARP spoofing can be detected using a program called ARP Watch. It is used to monitor the ARP cache of a machine to see if there is duplication. If there is, it could trigger alarms and lead to detection of sniffers. It can be obtained at online.securityfocus.com/data/tools/arpwatch.tar.Z
As is clear from the above sections, one method of sniffing in a switched environment is using ARP spoofing, and the machine that will most probably be ARP spoofed is the gateway. One thing that can be done is to add the MAC address of the gateway permanently to your ARP cache. This can be done by giving the -s flag to the arp command. Read more about this on the arp man page. Alternatively, you could use the /etc/ethers file for placing the MAC addresses of the important machines to prevent spoofing of those machines.
Final words of advice: Use encryption. Switch to SSH and SCP instead of Telnet and FTP.
dsniff Frequently Asked Questions
Sumit Dhar works for SLMsoft.com.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Reply to comment | Linux Journal
11 min 17 sec ago - Reply to comment | Linux Journal
27 min 27 sec ago - Favorite (and easily brute-forced) pw's
2 hours 18 min ago - Have you tried Boxen? It's a
8 hours 10 min ago - seo services in india
12 hours 42 min ago - For KDE install kio-mtp
12 hours 42 min ago - Evernote is much more...
14 hours 42 min ago - Reply to comment | Linux Journal
23 hours 28 min ago - Dynamic DNS
1 day 2 min ago - Reply to comment | Linux Journal
1 day 1 hour ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
SwitchSnarf
Switchsnarf is windows based helper apllication, you can sniff a computer switched network with switchsnarf.
Re: SwitchSniff
There are some good uses for this too. Example, if you wanted to find out who is using all your bandwidth, but your not a sysadmin. You can use ettercap to poison the ARP cache of your default route, which will also enable you to span multiple switches, then use something like etherape to see what's going on.
Some switched will crash and burn, so be carefull where you try this.
Has anyone tried to use this technique to for a good purpose. Example, an IDS, IP accounting, etc where you don't have control of the switch to setup a mirror port?
Re: SwitchSniff
If a switch is sent into 'failopen mode' will the computers connected to the switch be forced to compete for bandwith like they would on a hub?
Re: SwitchSniff
Yes, That would sort of happen automatically.
In half-duplex mode: This competing is defined by the NIC listening for traffic before it sends traffic. If it's connected to a switch, the switch only sends stuff to it, so the NIC is competing with the switch only instead of all the other computers. When the switch goes into 'hub' mode, the sending NIC, now has a bunch of traffic to dodge before it can send it's packet.
In full-duplex mode (just a guess): There is not collision detection, the NIC sends and receives at the same time, the overloaded switch would still send everything to everyone, but the sending would not interrupt the receiving and vice versa. I have heard of some switches that revert to half-duplex when overloaded.
Re: SwitchSniff
Once a switch goes into a failopen mode, it behaves exactly like a hub. Computers connected to it will then have to compete for bandwidth like in case of a hub. In fact though it is not mentioned in the article, suspicious administrators should often look for such signs in a Network...
Dhar
Re: SwitchSniff
Most switches will fail open when fully staturated as well. Meaning it will act like a hub when the traffic is at or over 100%.
Re: SwitchSniff
There are Ethernets that don't use IP, so it is not true that every computer has an IP address.
kinsella@ITCarlow.ie
ARP vs Datalink
It's not Data Link who maps IP addresses to MACs, baby. Different layer. Otherwise, useful article. thanx.
Re: ARP vs Datalink
looks like layer 2 to me. does not the LLC sublayer provide access for upper layer protocols ( layer 3) to the MAC sublayer?
Re: ARP vs Datalink
just out of curiosity... is it the Network layer (L3) then?
Read these books.
@Book{stevens94:_tcp_ip_illus_vol1,
author = {W. Richard Stevens},
title = {TCP/IP Illustrated, Volume 1: The Protocols},
publisher = {Addison-Wesley},
year = 1994,
series = {Addison-Wesley Professional Computing Series}
}
@Book{tanenbaum96:_comput_networ,
author = {Andrew S. Tanenbaum},
editor = {Noreen Regina},
title = {Computer Networks},
publisher = {Prentice Hall PTR},
year = 1996,
edition = {Third}
}
Re: SwitchSniff
A switch can be configured (with good planning) to stop both of these sniffing methods. However, there are always tradeoffs with this type of configuration, ex. more administration work.
Re: SwitchSniff
out of interest: how?
Re: SwitchSniff
you could do it by manually adding the ARP entries into the switch
Re: SwitchSniff
This of course assumes you are using managed switches, which cost many times more than unmanaged ones. I think you can still achieve good security results by using reservations for dhcp leases(better organization too), adding static entries in arp tables to places like file servers, DNS, and gateways, and using monitoring tools like arp watch. It isn't as effective as locking down things at the hardware level managed switch, but it should be enough for most environments and a hell of a lot cheaper if you don't require the added functionality the managed switch allows you...
Re: SwitchSniff
Please break up your long <pre> lines. They force a ridiculous width for the text. Maybe, then I'll read the article.
Re: SwitchSniff
get used to it ! mr anonymous !
this is a very good article so I don't really mind the minor formatting problem .
Re: SwitchSniff
The reason the lines are long is because I wanted to preserve the look and feel of what you would get on the screen when you gave that command.
Wondering if there is a way to preserve that look and feel, without making it feel kludgy. If there is a better way, kindly let me know. I will incorporate it into my next article.
Dhar
Re: SwitchSniff
Get rid of the tables. They're killing me. Try to print your page from Netscape, and you'll see what I mean. I had to paste the html into an editor and fix it just to print to. Validate your code against the W3C validator to see the things you need to fix.
Re: SwitchSniff
Well the opening quote from The Art of War was kind of wide in Netscape 6.2 and Mozilla but in Konqueror everything is wraped.
Why is nearly everyone including Dhar an AC?
Re: SwitchSniff
AOL.
Oh - for the person who said "just move the bar", you've got to do that for EVERY SNGLE LINE!!!!
I'm blowed if I'm going to try to read an article where I'm scrolling left AND right on every single damn line!
Sorry, but it ain't worth the hassle (and knowing my browser, it won't print properly, either :-(
Cheers,
Wol
Re: SwitchSniff
pretty tough to move the bar over half an inch isn't it!
give me a break
Re: SwitchSniff
Unfortunately, arpwatch isn't all that useful on networks that make use of DHCP. People who turn their computers off at night may have their IP addresses change the next day or over the weekend. My boss runs arpwatch where I work, and we just get flooded with reports of changing addresses because of this..
Re: SwitchSniff
So stop using fully dynamic leases. Change the existing leases into reservations. Dump the current MAC-IP table, do a little text editing and re-use it as the reservation table.
Leave 'enough' addresses, perhaps in a different group, for the inevitable additions.
The upside here is you can put these pseudo-static reserved IP addresses into DNS as well.
If you don't have enough free IP addresses then re-engineer your network. Put 'em behind a Firewall or NAT router.
The number of people that don't know how to use DHCP is astounding.
Re: SwitchSniff
By making them all reservations you are, effectively, returning to static ips. Why bother?
With Dynamic DNS you can put a fully dynamic lease into DNS automatically. You don't need to go to reservations.
Why to bother.
Becuase it puts all IP admin in one central place.
Re: SwitchSniff
We set our IP lease time to 4 days. That way, unless someone is on vacation, the lease is is renewed and the IP remains the same, no matter how much the machine is turned on and off. This is so stable and dependable that we have older machines that have had the same IP address since DHCP was put in place (I can count on "old .94" to be surfing porn at work, for example).
Re: SwitchSniff
You can also mantain a table of fixed MAC IP relationships in the DHCP server for known computers. It's more work :-( but you will know when a new box enter the network :-). And arpwatch will work :-)
Re: SwitchSniff
Set your lease time longer. Most dhcp clients request the same lease address they already had (pump, dhcpcd, win98, nt, etc) so as long as the lease is valid it can be renewed.
If you are low on addresses, your dhcp server should just use the oldest lease that's not in use (ISC dhcpd)
Mike Fedyk