February 23rd, 2003, 05:58 PM
man in the middle attacks
does anybody knows where i can find some information on this kind of attack?
i have heard that dns spoofing has something to do with this subject.
February 23rd, 2003, 06:06 PM
Depends on the environment you are working in. You might not need to use DNS Spoofing. Google is a very powerful search engine and that's usually a good place to start to learn how attacks are done. SANS has some pretty good white papers in their Reading Room (RR). http://www.sans.org/rr/threats/address.php
Hope this helps.
You also might want to try out the tool I covered in the AO Newsletter #6 on your home LAN. It should give you an idea of what an Admin might be facing with MITM type of attacks.
February 25th, 2003, 10:21 AM
U CANT TOUCH WHAT U CANT SEE
February 25th, 2003, 10:57 AM
Check out what i found for you.
This information was taken from:
The man in the middle forgery attack depends on being able to carry out a complete conversation while claiming to be the trusted host. In order to do this, the attacking machine needs to be able to not only send you packets, but also intercept the packets you reply with. To do this, the attacker needs to do one of the following: Insinuate the attacking machine into the path between you and the real machine. This is easiest to do near the ends of the path, and most difficult to do somewhere in the middle, because given the nature of modern IP networks, the path through "the middle" can change at any second. Alter the path between the machines so it leads through the attacking machine. This may be very easy or very difficult, depending on the network topology and routing system used by your network, the remote network, and the Internet service providers between those networks. Although this kind of attack is called "man in the middle", it's relatively rare for it to actually be carried out in the middle (external to the sites at each end) because nobody but a network provider is in a position to carry it out in that way, and network providers are rarely compromised to that extent. (People who compromise network providers tend to be working on quantity. Packet sniffing will give them many hosts rapidly, but man in the middle attacks give them only one site at a time.) These attacks tend to be problems only if one of the involved sites has hostile users who have physical access to the network (for example, this might be the case if one site is a university).
Oreilly's, building internet firewalls 2nd edition
by Elizabeth D. Zwicky, Simon Cooper and D. Brent Chapman
Second edition, published June 2000.
I hope this helps you.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
February 25th, 2003, 11:03 AM
Dont know if this is what you are chasing, but there is a write up on DNS Cache Poisoning here:
there is also a few reference links off this article.