On Thu, 10 Jan 2002, [iso-8859-1] Bruno Negr�o wrote:
> Could someone tell me if sniffers can hear remote connections?
you have two methods, basically, and two different scenarios for each.
first, switched networks, which a lot of people have been chiming in here
about. you can break the spanning tree and have packets NOT destined for
your host be sent to you where you can monitor them. either by
arp poisoning, spanning tree abuse (ie insert 802.1d updates and
redo the tree), or arp flooding. similarily you can set up a monitoring
port legitimately on the switch.
secondly, you have routed networks, where again, you can poison routing
tables and either have the traffic flow through your network or have it
split and redirected to you (and back to them, as well). this has been the
subject of a few talks and papers. curt wilson wrote a nice paper on
routing vulnerabilities, two guys (photek and RX, ISTR) did a talk on this
at defcon 01/USA and blackhat 01/Europe (the paper should be online), batz
did a great talk several years ago at blackhat/usa on bgp vulnerabilities,
etc ... definitely not out of the reach of typical hackers. CERT has been
talking about the compromise of many routers, by the way, and the
increased discussion of cisco ios vulnerabilities (together with their
increased use of web interfaces for configuration, misconfiguration of
leaving that on, associated vulnerabilities with the web servers)
defnitely back this up.
the second method, not like the 'forward to me so i can sniff' methods
outlined above is applicable to both scenarios. basically you compromise a
host on the segment (switched or routed) that you wish to observe and
forward the traffic back to you, either in a direct stream or later as a
package. if you do do the stream method its best to have a tight filter on
what you're observing so you dont ruin bandwidth. tunnelx, discussed in a
phrack issue a couple of years ago, demoed this using gre tunnels. 'things
to do in ciscoland when you're dead' was the title. the typical linsniff
stuff script kiddies do is like this, as well, when they come back and
grab their sniffer logs (ie passwords and accounts).
hope this helps,
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
