[VOIPSEC] Re: Voipsec Digest, Vol 2, Issue 33

Michael Todd michaeldtodd at mac.com
Sun Feb 27 12:28:01 CST 2005 

Perhaps my e-mail was vague. You don't need administrative access to a 
switch to snoop packets on a switched network. Nor do you even need to 
reconfigure the switch at all. On a switched network, you can send a 
gratuitous arp to an end station saying that *your* MAC address should 
be used to reach the gateway's IP address. You can then send a 
gratuitous arp to the *gateway* stating that *your* mac address should 
be used to reach the endstation mentioned above. Then turn on IP 
forwarding. As I mentioned, this has nothing to do with administrative 
access to a switch. As long as you are on the same VLAN as the endpoint 
you wish to sniff and  both the gateway and endstations accept 
gratuitous arp packets, it is trivial. As I mentioned, I have done this 
in the lab with VoIP packets.

Michael Todd
CCIE #10858 (Routing and Switching/Security)

See the following article for more information.
http://www.sans.org/resources/idfaq/switched_network.php

Gerald Maguire wrote:

>Of course if you have physical access to the links you can snoop.
>
>My point was simply that you don't need to need to add a hub in order
>to sniff (as your message implied) -- just give the switch the right
>configuration commands and you can get all the traffic to and from a
>given port.  Thus you don't need physical access to the switch - you
>only need to send the right commands to the switch (of course proper
>protection of the administrative passwords, proper configuration of
>which ports commands can come on, etc. can strengthen this). The key
>is that simply using switches does not eliminate the possibility of
>sniffing, it just makes it a little harder. This is of course why many
>firms are concerned about the introduction of legal intercept features
>into networking devices -- because it makes it _easier_ for someone to
>intercept and tap traffic. CALEA (47 U.S.C. § 1001 et seq.) and other
>regulations mean that not only can the traffic be intercepted but it
>should not be detectable (by the subject or even by others who have
>lawful intercept orders).
>
>Regards,
>G. Q. Maguire Jr.
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>  
>

More information about the Voipsec mailing list