Sniffing switched networks

Most of you know (or should know) that sniffing a switched network with a regular packet sniffer will give you nothing more than a lot of useless broadcast junk.

However, all admins know that capturing packets in the network can be one of the most useful ways to troubleshoot network problems.. so what do you do if your network is running on those nice shiny catalyst switches and you really need to see whats on the wire ?

You do have a couple of options -- you could 'span' one port on the switch to see all the traffic, or you could plug a laptop into a monitor port (if your switch has such a feature). But what if you just want to sniff from the comfort of your own desktop ? or you don't have the admin rights ? (tch tch...you bad person )

Enter Ettercap

Ettercap is a sniffer --- it can be a regular boring ethernet sniffer, but what its really all about is sniffing switched networks. It does this by poisoning the ARP cache of the hosts you want to sniff.

(Since I'm assuming anyone who is interested in sniffing switched networks is a techie, here is a link explaining ARP cache poisoning)
packetstormsecurity.org/papers/protocols..._to_arp_spoofing.pdf

Now for the really fun part.. Ettercap not only sniffs switched networks, it also collects passwords for lots of common protocols, HTTP, Telnet, FTP etc. So if you see someone is in the middle of an FTP session, you select that session and if the username and password were sniffed, ettercap will show it to you.

It will also allow you to sniff SSL (yes that means secure webpages) as well as SSH traffic.. I'm not quite sure how it does this, and haven't ever tried it, but it apparently works terrifyingly well.

You can also kill any connection that is currently going on if you don't like it (that could be useful).

But by far the freakiest feature is this :
Ettercap can inject data into the tcp stream !! This means telnet connections can be hijacked, HTTP requests changed, etc etc.

Here is a very nicely done page with screenshots showing it at work
securitypronews.com/securitypronews-24-2...oofingandBeyond.html

-- the attacker has told ettercap to replace " www.google.com " in any http traffic with some other website address.. effectively redirecting the traffic to another website.

In example two, he changes words in the text of a webpage.

I've illustrated that this ingenious tool features a lot of ethically questionable uses.. but trust me, it can be used very legitimately by admins.. it has an option to scan the lan to see if anyone else is doing any poisoning, and it also has an option where it only poisons the cache and lets you do all your sniffing with your favourite packet sniffer.. perfect for troubleshooting

Heres a link
ettercap.sourceforge.net

It runs under pretty much every O/S, including *nix, windows and Mac OS.

Just remember that sniffing other peoples data is not a very nice thing to do.

Cheers,

I've been personally using Ettercap for over a year and one of the most useful features I have found is it's flooding techique.

Using the required plugin, you are able to bring a P4 with 512MB ram Linux server to its knees in around 40 seconds!

Amongst the 20 plugins it comes with, here are the most popular:

Lamia. This plugin allows you to become the root in a switched network that uses the STP protocol to avoid loops.

Spectre: Floods the LAN with random MAC addresses

Banshee: Described as "They kill without discretion... "

Golem: A dangerous D.O.S plugin

and lastly its useful Hxx_xxx series plugins which Sahir reffered to. They allow you to steal passwords and data from HTTP, POP, SMTP and a number of other types of streams.

Ettercap is a wonderful tool and one that I usually work with every day to help troubleshoot our network problems, but also create new ones

From my personal experience, I would highly recommend it to anyone that has a few switches in their network and a Linux computer connected to it.

Cheers,

ettercap is one serious packet sniffing program.

I have testing this program since sahirh posted about it, and it works very well doesn’t it? I was shocked!

Interestingly enough after looking at the program being able to do a poison ARP I have found a way on ZoneAlarm to prevent your computer being spied on. I don't know if it works for everyone but I will just post it here for reference.

The option is called "ARP Protection" in ZA, dunno if it’s the same on other programs, but anyway this is how to enable it (It’s off by default)

Open the ZA window, and on the left hand side click "Firewall"

Now on the bottom right of the new dialog that appears click the advanced button.

You will be presented with a dialog like this:


(Take note of all the other things ZA has available)

Next click the "Enable ARP Protection" checkbox and there you go!

I have tested the ARP Poisoning with and without this option and it worked for me.

ZoneAlarm is available here

First.. Chris -- you are full of surprises I could never imagine your seemingly benevolent self hunched evilly over ettercap screaming 'Die connection ! Die !' :lol: Just wanted to add that you don't need a linux box for ettercap.. its been ported to a variety of operating systems including the windows family.

Neon.. that is very interesting information you just posted.. I had no idea that ZA had support for arp protection.. this will definetely be added to my paper on the need for personal firewalls...I'm very interested.. You said you tested it.. did you enable it and then find you were unable to use ettercap to sniff the target machine ?

Unfortunately I dont have the luxury of a home lan anymore (long story) I'll have to look into how ettercap handles a VMWare virtual switched environment how boring is that...

Chris, I think for every well answered post on the forums, tfs and I should be gifted one piece of hardware we forum moderators are a greedy bunch ! -- that said, a jar of olives would suffice as well.


Cheers,

ps. for those who didn't understand the last paragraph, Chris is a master olive harvester (if thats the correct term).

To do my ZA trials, I enabled ARP Protection then tried to do an ARP Poison, when I did it from my Notebook to my Desktop PC, (notebook is the attacking machine) the ettercap looked normal like it was a successful poison, but no packets were displaying when I was surfing on my Desktop PC.

Then I turned off ARP Protection on my PC in ZA, reconnected with ettercap (from the Notebook) and boom the victim machine (Desktop PC) was poisoned!

Hope that was enough info

Note: When I tried to do a poison ARP on my Desktop PC with ARP Protection enabled, ZoneAlarm didn't post the attack in the log files. There might be an option somewhere to enable this function, if I find one i'll let you know.

Ahh theres the rub.. it wont log it because its only blocking arp requests other than broadcasts and it only allows arp replies where an arp request has been sent.. in other words its like stateful inspection of ARP traffic..

Funny.. I would have thought this would be a default rule...

Anyway I'm quite sure there will be a way to work around this through ettercap. I haven't been able to test.. but this has my curiosity going. Perhaps an explanation of ARP cache poisoning is worth posting.. I'll get round to it once I've cleared up a few of murky questions I have myself.

Off the top of my head, in logging options, I think if you check 'log' for 'blocked non-ip packets' you might see the poisoning entries in your logs.

The biggest problem with ZA is that in the process of trying to 'dumb things down' they've really made it more difficult for the advanced user to set advanced options.. simply because things are made so vague.. I mean saying 'blocked non-ip packet' is rather generic to me....