Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: [Full-Disclosure] Caching a sniffer
From: Kenton Smith (ksmithchartwelltechnology.com)
Date: Thu Mar 11 2004 - 12:01:19 CST
On Thu, 2004-03-11 at 10:43, Mike Fratto wrote:
> Your assuming that the attacker 1) has control of the switch and 2) is
> sniffing either the uplink or has configured the switch to mirror all the
> switch ports or VLAN to the mirror port.
> Neither of which may be the case.
There are many people on this list who have more knowledge of this than
I do, but having control of the switch isn't the only way to sniff a
switched network. All you need is a way of spoofing ARP packets and you
can intercept all the traffic you want. Here's one such set of tools -
Full-Disclosure - We believe in it.