Re: [SAGE] sniffing switched nets

["J. Lasser" <jon@lasser.org>]

In the wise words of Strata Rose Chalup:

> I've been given to understand that the technique involves reconfiguring
> the switch to copy traffic to a monitor port.  Given how easy it
> allegedly is to break into most switches, I think this is a valid line
> of attack.  
> 
> There's also supposed to be another technique, about which here is
> something from a quick Google search:
[ . . . ]

There's a technique to do this by flooding switches with fake MAC
addresses until the switch drops back into hub mode. A quick google
search on "switch mac flood" returns angst, which apparently uses this
technique:

http://angst.sourceforge.net/

# Angst is an active sniffer, based on libpcap and libnet. Angst provides
# methods for aggressive sniffing on switched local area network
# environments. It dumps the payload of all the TCP packets received on
# the specified ports. Moreover, it implements methods for active
# sniffing. Angst currently provides two active sniffing methods. The
# first monitors ARP requests, and after enabling IP forwarding on the
# local host, sends ARP replies mapping all IPs to the local MAC address.
# The second method floods the local network with random MAC addresses
# (like macof v1.1 by Ian Vitek), causing switches to send packets to all
# ports. Made just for testing purposes and fun. If you compile it on any
# other platform except the ones listed below, please contact me at the
# above email address. As always, published under a BSD style license, see
# the included LICENSE file.

Jon
-- 
Jon Lasser	
Home: jon@lasser.org		|    Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/     |    http://www.cluestickconsulting.com
   Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/

PGP signature