MAC spoofing and packet sniffing?

[IKnowNot]

Uh, Tiger Shark and d0pp kind of summed it up.

I will say it a little less diplomatic:
If you can't handle Windows, use your computer as a door stop, you will get more use out of it.

Yes, M$ has problems. Most can be mitigated by proper administration.

And there in lies the quandary: How do you learn to administer an OS without understanding what it is doing, especially since M$ tries to do it for you without doing it properly from the start?

READ!
Everything you can.
M$ actually helps you. They provide a wealth of knowledgebase articles to study.

“ Google” for answers.

Come here to AO and search through the archives, ask questions if you can't find an answer.

Am I saying that Linux isn't a great OS? ........ No.

Am I saying you can't learn from Linux? .......... No.

What I am saying is that if you can't secure a M$ system, then installing Linux and expecting it to secure itself is futile at best.

Linux, at least in the early days, made you learn how to secure it, and run it for that matter.
Now pretty much anybody with a little computer savvy can install and run Linux. Just because fewer exploits are written for Linux at this time doesn't mean you are safe if you run it. That will change, before you know it.

And as d0pp said, M$ is the industry standard. If you expect a job somewhere, you better know M$. But if you want to learn something else, Linux can still be a great teacher.

Go to Linux for the right reasons.

MOOD: Drunk and Content. Just finished a GREAT Dominican, just got through teaching ( while learning and getting drunk together ) an old Linux guru and friend how to administer LVM on Linux, all while listening to a great CD, Big Band Christmas ( the Peter Jacobs Orchestra )
Life is Good, despite the curves it throughs.

[rasem]

Whoa. This topic has gone errr off-topic. For the record there are ways to "sniff" traffic going on on a router or switch. I've read about ARP poisioning which you could use to monitor traffic going on between specific computers or to the router. That way wouldn't be really realistic because of the hardware resources required. Another option is to use a proxy server on your network for all of your workstations.

On the side topic: I got the current job I have right now because I knew Linux.

Hope I kind of helped.

rasem

[Tiger Shark]

Rasem:

Keep reading.... Maybe you'll learn something in your browsings.... 'Cos you don't seem to understand the principle you are talking about right now....

What hardware requirements do you need to ARP spoof?

[rasem]

Tiger Shark,

I would like to start by conceding to your superior skills.

I went back and re-read the section on MAC-address spoofing as you suggested. Would it be accurate to say that you could have multiple interceptions occurring through the same machine at the same time using a single NIC?

I'd appreciate your clarification.

rasem

[d0pp]

Yes, that is what promiscuous mode means.


It accepts every packet it sees, not just those packets bound for whatever IP the NIC has.


The key is making every packet come to the NIC. That is where either a hub, or an ARP attack comes into play.

The hub will not direct packets to the correct NIC, every NIC sees every packet. And the ARP poisoning will convince the other machines that your computer is a gateway of sorts.

[rasem]

Gee - lots of posts, but I want to make sure that I'm fully understanding your answer, d0pp. I understand that that mode will accept all packets, however in the scenario we're doing this with a switch or router, so even if it is in promiscuous, it won't receive those packets unless it is actively either legitimately receiving packets or intercepting, by receiving the packets intended for another machine and then forwarding to the true target. The reason obviously being because the information is not being broadcast to all ports. What I am questioning is if you can actively receive intercepted packets by ARP poisoning from multiple machines. Writing it out, from my limited understanding, it seems plausible, but initially I had hastily assumed you'd required multiple NICs. If that is the case, I apologize.

rasem

[Tiger Shark]

If you are trying to capture packets from a whole switched network rather than an individual machine a better attack to try is an ARP flood. When you ARP flood a switch, (send packets claiming to be from multiple hosts that already exist out on the local network), you will either fill the switches ARP tables up or confuse the switch by having so many multiple entries that the switch will fail over to being a hub which broadcasts all packets on all ports.

ARP spoofing, by it's name, is better suited to use against an individual host.

[spazzmatrix]

A good site to check out on sniffing connections is www.remote-exploit.org they have a bootable cd you can even use. The video tutorials are a bit dull but will explain things in an easy way.

Check google for "Man in the middle" attacks, Although I use the term "Attack" this is another great way to check if any info is being sent from a computer, You will need two nic cards or at least two network connections (wired,wireless).

[zENGER]

As the original topic requested, if you want to sniff a wireless network what you're more concerned with is having a WiFi card and driver that supports RFMon mode. This means that the actual card received all signals instead of those intended for it. The promiscuous mode only deals with the packets once they get to the OS.

[Dr Toker]

Well, I'm not 100% certain about this wireless setup you have, but i know that if you plug a switch into your router, then plug all your hosts into that, you can spoof yourself as the gateway, and the all traffic will route through you, kinda like man in the middle attack. But really i dont know much else other than.