Sniffing in a Switched Network

-With A Recipe To Hack A Switch Using

Ettercap and Ethereal
-Manu Garg
manugarg at gmail dot com

Problem Statement-
To gain access to main switch of our compan using a machine in the
same !A"#
Tools used-
Ettercap$ Ethereal
Techniques Used-
Arp spoofing and Sniffing

How can we achieve our goal?
Most of the network administrators use telnet to login to a cisco machine#
Telnet is a clear-te%t protocol & so$ if ou can sniff the packets ou can get to know
what is other person talking to the machine#
Easy then, I will just sniff the packets from the wire and get into my switch.
Hey, I dont see any traffic on the wire. What could be the reason?
'ou are in switched network and switches don(t do an fa)or to the hackers# The
transmit data onl *etween the talking machines#
ut this is not fair. !hey said I am on ethernet. "re they not supposed to use
#$%"&#' then?
Ethernet has grown up *udd# +t(s ,switched ethernet( now#

Hey wait! Dont get disappointed too soon. We hackers are not
supposed to get defeated by a switch. Right?
Right# -ur elite masters who designed T./0+/ protocols didn(t forget us#
The left an otherwise in)isi*le path which can *e seen * onl their
enlightened students#
$o what is that path?
+t(s the path of arp spoofing# 1 using this techni2ue ou can fool our target
machines to send data through our attacking machine and then ou can
sniff it on our attacking machine#

ARP SPOOF!"## How does it
wor$?
Target 3
+/4 356#378#3#3
Hw4 99499499499499493
Target 6
+/4 356#378#3#399
Hw4 99499499499499496
AM :Attacking Machine;
+/4 356#378#3#363
Hw4 9949949949949949<
Switch
Switch forwarding traffic *ased on MA.
address
%e&ore Attac$''((

9949949949949943= 356#378#3#36<
99499499499499496 356#378#3#399
T3:356#378#3#3;4 T6:356#378#3#399;4
9949949949949943= 356#378#3#36<
99499499499499493 356#378#3#3
1efore attack$ T3 and T6 are talking to each other onl# 1elow is the arp ta*le of the
machines#
The switch understands onl MA. addresses and forwards the packets to the right
machines *ased on this MA. address# What if we manipulate the arp ta*les :this is
called arp poisoning; on T3 and T6 so that the target MA. address in all the packets
*eing e%changed *etween them$ *ecomes the MA. address of our attacking machine#
'ou got it right# Then switch will forward the packet to the attacking machine#
So after attack arp ta*le should look like something *elow4
9949949949949943= 356#378#3#36<
9949949949949949< 356#378#3#399
T34
9949949949949943= 356#378#3#36<
9949949949949949< 356#378#3#3
T64
Where 9949949949949949< is the MA. address of attacking machine#

ARP SPOOF!"## How does it
wor$?
Target 3
+/4 356#378#3#3
Hw4 99499499499499493
Target 6
+/4 356#378#3#399
Hw4 99499499499499496
AM :Attacking Machine;
+/4 356#378#3#363
Hw4 9949949949949949<
Switch
Switch forwarding traffic *ased on MA.
address
A&ter Attac$''((
"ote4 >on(t forget to ena*le ip?forwarding on our attacking machine otherwise
ou(ll *reak down traffic *etween 6 machines#

O)( guess* now +ou $now what ARP s,oo&ing is( !ow the bigger
question - How do we ,oison ARP table on T- and T.?
E%planation starts from another 2uestion# How do the hosts *uild this arp ta*le@ This
ta*le is *uilt using arp protocol# AR/ protocol has 6 kinds of packets & AR/ re2uest and
AR/ repl#
When a machine :sa$ A; wants to know MA. address of another machine :sa$ 1;$ it
sends an AR/ re2uest asking Awho has +/ address 1B# This is a *roadcast$ i#e# sent to
CC4CC4CC4CC4CC4CC# +t is picked up * all the machines in the !A" and onl the machine
possessing +/ address 1 sends an AR/ repl# +t is sent to machine A onl# Machine A
stores this MA. address in it(s AR/ ta*le#
"ow ou must *e getting some clue# 'es$ we are going to poison AR/ ta*le of T3 and
T6 * sending them AR/ replies# Most of the machines are generous enough and
respect the AR/ repl packet e)en when there was no re2uest for particular +/ address#
There are some machines$ for e%ample Sun-S$ which make an AR/ entr onl if there
is a re2uest for the one or if that ip is alread in the AR/ ta*le# We can make them
re2uest for particular +/ address * sending them an +.M/ Echo packet from that +/
address#

(k. $o you want me to create these ")* replies myself and manage all
this.
"o dude# We ha)e *lessings of our fellow hackers#
Al*erto -rnaghi :a#k#a# A!oR; and Marco Dalleri :a#k#a# "aGA; from Milan
ha)e created a nice tool called /tterca, *ased on e2uall cool li*rar
,libnet( from Mike#
Ettercap is prett )ersatile and tool of choice for M+TM attacks including
AR/ spoofing# Ettercap also has sniffing capa*ilities$ *ut + prefer to use it
onl for spoofing# Cor sniffing$ + prefer using /thereal# Main reason for this
is the use of pcap format for storing packets * ethereal# /cap is a prett
old format and there are man tools a)aila*le to analEe pcap files#
So$ use ettercap for arp spoofing# Ena*le ip forwarding in kernel to
maintain the connection *etween )ictim machines# And start sniffing using
tethereal :te%t interface to ethereal;# That(s all ou need to do#

Reci,e
+ets try to do e,erything said till now. +ets look at our problem once again
We want to get into the main switch of our compan# This will allow us to
configure the switch ports the wa we want#
Cirst task$ find out ip address of the switch# +n m case it is 356#378#3#399#
'ou can use "map(s -S detection feature to guess it#
"ow find out how network admin communicates with the switch# +n m case
network admin sits offsite# So$ he connects to the switch through WA" and
the re2uests come through the gatewa#
+ use another machine in the same su*set to o*ser)e the traffic for sometime
and find out that all incoming traffic to the su*net comes through the router
356#378#3#6 and all outgoing traffic goes through the router 356#378#3#3#
So$ when network gu from 356#378#393#<= logs into cisco console$ packets
are routed through the routers 356#378#3#3 and 356#378#3#6#

Routers 0R1
356#378#3#3
Hw Addr# 99499499499499493
Attac$ed Switch 0S1
.isco .atalst F999 series
356#378#3#399
Hw# Addr# 99499499499499496
Attac$ing 2achine 021
RHE! AS =#9
356#378#3#363
Hw Addr 4 9949949949949949<
Same su*net
Rest of the network
Routers 0R1
356#378#3#6
Hw Addr# 9949949949949949=

As ou can guess$ + need to put attacking machine in the path *etween
356#378#3#3 - 356#378#3#399 to tap outgoing packets and 356#378#3#6 &
356#378#3#399 to tap incoming packets#
So$ + need to tell the router 356#378#3#6 that 356#378#3#399 is at
9949949949949949< which is the MA. address of attacking machine# At the same
time also tell switch i#e# 356#378#3#399 that 356#378#3#3 is at 9949949949949949<#
1efore in)iting packets to our machine$ make sure ou ha)e path for them to
reach their destination i#e# don(t forget to ena*le ip forwarding# +n linu% ou can
ena*le ip forwarding using following command4
echo - 34,roc4s+s4net4i,v54i,6&orward
Reci,e '

To start arp spoofing using ettercap4
etterca, -o -T -P re,oison6ar, -2 ar,7remote 4-8.(-9:(-(-;;4 4-8.(-9:(-(--.4
-o 4 onl spoofing no sniffing#
-T 4 te%t mode
-/ repoison?arp
!ells it to load plugin repoison-arp. !his plugin re.poisons arp table at some
inter,als
-M arp4remote 0356#378#3#3990 0356#378#3#3-60
!ells it to start %I!% attack with /01./23././44 in first target group and
/01./23././, /01./23./.1 in second target group.
+(ll suggest ou to run ettercap in screen terminal$ so that ou can detach from screen
and forget a*out it for some time#
+ used Aettercap "G-9#G#6B# 'ou can download it from http400ettercap#sourceforge#com#
Start s,oo&ing'(

Start Sni&&ing '
"ow ou are all set to start sniffing# Use following command to start sniffing and
write packets to a file4
< tethereal -a&ilesi=e7-;;;;; -w 4tm,4cisco(,ca, -& >host -8.(-9:(-(-;; and
not ar, and not icm,?
-afilesiEe4399999
limits the file siEe to 399M1#
-w 0tmp0cisco#pcap
writes packets to 0tmp0cisco#pcap
-f Ahost 356#378#3#399 and not arp and not icmp?
is the filter string# +t tells to collect the packets either coming from or
going to 356#378#3#399 and not to collect an arp or icmp packets#

Use some social engineering# Cind out when network team is going to work on
the switch or an other host which ou want to *reak into# !ea)e our tools
running while the do it#
!ater on ou can analEe the capture file * opening it in ethereal and ou can
Hust follow the telnet stream to find out the password#
That(s all it takes#
A person is smart# *eople are dum*$ panick$ dangerous animals and ou know it#
--Ed Solomon