| View previous topic :: View next topic |
| Author |
Message |
sooofunky
Tux's lil' helper
Joined: 08 Nov 2004
Posts: 120
|
 Posted: Thu Apr 14, 2005 9:02 am Post subject: General network question |
 |
|
Hi
Why do packet sniffers pose such a big security risk? They have to be connected to the network they want to spy on. Or is it possible to listen to a specific host on another network?
Thanks |
|
| Back to top |
|
 |
mekong
Tux's lil' helper
Joined: 23 Apr 2004
Posts: 93
Location: Rdam - NL - EU
|
| Posted: Thu Apr 14, 2005 10:18 am Post subject: |
|
|
| Yes, they have to be in the same network as the target. Why it poses a big security risk? Because ethernet is a shared medium, everyone can listen to what others send, and you're not sure about everyone's identity. You can change network card MAC address |
|
| Back to top |
|
|
moby dick
Tux's lil' helper
Joined: 19 Dec 2002
Posts: 78
Location: Germnany / Frankfurt a. Main
|
| Posted: Thu Apr 14, 2005 2:37 pm Post subject: Re: General network question |
|
|
| sooofunky wrote: | Hi
Why do packet sniffers pose such a big security risk? They have to be connected to the network they want to spy on. Or is it possible to listen to a specific host on another network?
Thanks |
They only need to share the same medium, for example the same LAN. Like sooofunky said, ethernet is a shared medium. That means that every machine in an ethernet may see every package other machines will send through the ethernet. Bye the way - thats the idea behind ethernet: everyone sees every package and decides himself it was destined for him. The sniffer now acts (tells the underlying layers), as if every package belongs to him. So the sniffer can make a copy of every package that runs along his way. By analysing the packages the easiest step is to find out which (IP-) settings are used in the eavesdroped network. With that the eavesdropper can spoof his own adresses and act as if he actualy belongs to the network. Next step would be to find out the secrets needed to get access to the network services. The needed passwords and can be computed (it may take a while but it can be done). THATS why the sniffers pose such a risk. 
Bye
M.
_________________
Athlon 64X2 4200+, MSI K8N SLI (nForce4 chipset), 2x512MB DIMM, MSI GeForce 6800 GT |
|
| Back to top |
|
|
bjacobt
n00b
Joined: 10 Oct 2004
Posts: 35
Location: Dallas, TX
|
| Posted: Thu Apr 14, 2005 5:42 pm Post subject: |
|
|
| but if you use a switch instead of a hub you cannot see the packets that were meant for other computers, unless the virtual circuit table in the switch gets flooded. |
|
| Back to top |
|
|
sooofunky
Tux's lil' helper
Joined: 08 Nov 2004
Posts: 120
|
| Posted: Fri Apr 15, 2005 11:25 am Post subject: Thanks for the replies! |
|
|
But even if you change your IP address (or MAC address if necessary) you won't be able to listen to other networks communication, because switches, routers delimit a network. So how do you sniff then?
I won't to write a server that accepts requests from clients, therefore listening on the server network exposes all comunication, if not encrypted? What about a firewall? |
|
| Back to top |
|
|
moby dick
Tux's lil' helper
Joined: 19 Dec 2002
Posts: 78
Location: Germnany / Frankfurt a. Main
|
| Posted: Fri Apr 15, 2005 1:02 pm Post subject: |
|
|
| bjacobt wrote: | | but if you use a switch instead of a hub you cannot see the packets that were meant for other computers, unless the virtual circuit table in the switch gets flooded. |
That's halfway right. 
-If you use a switch with a port for every client you are right
-If you cascade switches and hubs it may happen, that data for many clients is send through one port of the switch.
A switch just divides a large network physikally into smaller parts. Thus in the hope to reduce the traffic per bus and therefor reduce the collisions of messages - which results in "faster" communication. ("faster" because a datagram must only be send once if no collision appears).
_________________
Athlon 64X2 4200+, MSI K8N SLI (nForce4 chipset), 2x512MB DIMM, MSI GeForce 6800 GT |
|
| Back to top |
|
|
moby dick
Tux's lil' helper
Joined: 19 Dec 2002
Posts: 78
Location: Germnany / Frankfurt a. Main
|
| Posted: Fri Apr 15, 2005 1:03 pm Post subject: Re: Thanks for the replies! |
|
|
| sooofunky wrote: | | I won't to write a server that accepts requests from clients, therefore listening on the server network exposes all comunication, if not encrypted? What about a firewall? |
 Sorry, what do you mean by that
_________________
Athlon 64X2 4200+, MSI K8N SLI (nForce4 chipset), 2x512MB DIMM, MSI GeForce 6800 GT |
|
| Back to top |
|
|
sooofunky
Tux's lil' helper
Joined: 08 Nov 2004
Posts: 120
|
| Posted: Fri Apr 15, 2005 3:06 pm Post subject: |
|
|
| Quote: | | Sorry, what do you mean by that |
I meant, if you belong to the same network as some server, you can intercept all packets. What about an attacker that isn't part of your network? Is she/he able to listen to your traffic? Can e.g. ethereal sniff anywhere (provided that no security measures were taken)? |
|
| Back to top |
|
|
mekong
Tux's lil' helper
Joined: 23 Apr 2004
Posts: 93
Location: Rdam - NL - EU
|
| Posted: Fri Apr 15, 2005 4:17 pm Post subject: |
|
|
| If the attacker belong the the same subnet, he can listen to everything you send, switched or hubbed network doesn't matter, if he use arp poison. If there are router(s) in between, he can't, with the exception if your data to destination are routed through a network which he is on. |
|
| Back to top |
|
|
|
Networking & Security
