[unisog] Strange things from our residence.

Patrick Darden darden at armc.org
Wed Oct 23 16:55:03 GMT 2002

Dsniff and Ettercap both have arp poisoning built in for MITM attacks on
passwords, session injection, and session hijacking. What you are talking
about, though, is different.

Dsniff is a collection of tools that prove switches do nothing to aid in
security.  Very innovative stuff.  Lots of other stuff: session injection 
and hijacking, built-in password sniffing for a variety of protocols,
etc..   A great toolkit.  It is not easy to use, however.

Ettercap is state of the art, and easy to use.  It includes most of
dsniff's functionality, although it is not a toolkit but instead an
integrated tool, so you cannot use it to do new stuff so easily.  Any fool
can use Ettercap, unfortunately.

--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden at armc.org
--                              Athens Regional Medical Center

On Wed, 23 Oct 2002, Jerry A. Copus wrote:

> I seem to recall that the tool was called "dsniff". A Google search will 
> turn up a lot about it, but SANS has a general write-up of the theory at 
> <http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm>.
> --On Tuesday, October 22, 2002 6:06 PM -0700 "David P. Allen" 
> <allendp at plu.edu> wrote:
> > Pete Hickey wrote:
> >
> >> SO we've had a weird problem (on a subnet) in one of our residences.
> >> It seems like people were gradually loosing connectivity.  What was
> >> happening is that someone was sending out ethernet packets with a
> >> source MAC address of FFFFFFFFFFFF..  A broadcast as the asource.
> <snip!>
> > Sound a lot like a tool I've seen that is designed to "overload" a
> > switch's ARP cache and force broadcast of traffic to all ports.
> >  Essentially turning a switch into a hub until it eventually relearns
> > everyone's port location.  Obviously, this tool is designed to provide a
> > mechanism for sniffing even on a supposed "secure" segment, but it does
> > have its drawbacks.  Not the least of which is the obvious user
> > reactions of "something is broken".
> >
> > BTW, for anyone interested, I can't remember the name of the utility at
> > the moment, but will supply it (once I remember) upon request.
> >
> > --
> > David P. Allen
> > Network Manager
> > Pacific Lutheran University
> >
> > { (253) 535-7524          | "...one of the main causes of the fall of  }
> > { allendp at PLU.edu         |  Rome was that, lacking zero, they had no  }
> > { www.plu.edu/~allendp    |  way to indicate successful termination of }
> > {                         |  their C programs."         --Robert Firth }
> _______________________________________________________________________
>                  Jerry A. Copus -- Network Administrator
>                   University of Wisconsin - Platteville
> _______________________________________________________________________
>        Don't be afraid to take a big step if one is indicated.
>    You can't cross a chasm in two small jumps. -- David Lloyd George

More information about the unisog mailing list