HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 17

Too Easy: MITM Active Sniffing

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 17 highlights

Ethernet conversation between "F" and "D" A - Port 1 The Switch is configured to Mirror Port 1 to Port 5. In other words, all packets sent/received on Port 1 are sent/received on Port 5. Port 5 is a special port called a Mirror port. Device E cannot participate in networking conversations, it can only listen to them. B - Port 2 Ethernet conversation between "F" and "D" C - Port 3 D - Port 4 ` F - Port 6 E - Port 5 E is a laptop with Wireshark installed Figure 15 - Mirror Port While the mirror port capability was put into switches to help network administrators, it can also help our attacker Jane. Using a variety of different techniques (which would lead us too far astray to go into but are very easy to execute), she discovers the Ethernet switch vendor and switch model number. Jane finds the manual for the switch on the Internet and discovers that this particular model has mirror port capability and remote management capability. In other words, this switch can have an IP address for remote management. An Ethernet Switch can have an IP address? Of course, many network management tools communicate with Ethernet switches over TCP/IP to get a variety of network monitoring information. In this particular case, Jane figures out the IP address of the switch (again, very easy but would lead us too far astray to go into). Jane uses the application called Telnet and tries to telnet into the switch. It works! The network administrator didn't realize that this switch had network management capability and never setup a password for it. The switch was able to obtain an IP address automatically using DHCP and the network administrator never knew! Using the user manual that Jane found on the web, she goes to the open conference area with her laptop. She resets all the packet counters on the switch. She then floods the switch with a short burst of packets and checks the receive counters. Using these counter values, she determines which port on the switch is associated with the open conference area - Let's say port 5. She uses the same technique, whenever someone uses the secured MFP, to determine the MFP's port number - Let's say port 1. She then uses Telnet to configure port 5 to be a Mirror port, duplicating the packets to and from port 1. Now she is able to use Wireshark to capture networking conversations to and from the MFP. When she is done capturing packets, she moves to another open conference room and deletes the mirror port configuration. Too Easy: MITM Active Sniffing Well, you may have read the last section and said: "This isn't a problem for me because (1) all my Ethernet switches are under lock and key, (2) These switches do not flood open, and (3) their network management interfaces are secured. Therefore, there is no longer any way for Jane to capture my MFP's data". Not True! In this section, we are going to cover another way Jane could have captured the data. We will continue to use Wireshark and Ettercap. 17

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
17
`
F – Port 6
A – Port 1
B – Port 2
C – Port 3
D – Port 4
E – Port 5
The Switch is configured
to Mirror Port 1 to Port 5.
In other words, all packets
sent/received on Port 1
are sent/received on Port
5.
Port 5 is a special port
called a Mirror port.
Device E cannot
participate in networking
conversations, it can only
listen to them.
E is a laptop with
Wireshark installed
Ethernet conversation
between “F” and “D”
Ethernet conversation
between “F” and “D”
Figure 15 - Mirror Port
While the mirror port capability was put into switches to help network administrators, it can also help
our attacker Jane.
Using a variety of different techniques (which would lead us too far astray to go
into but are very easy to execute), she discovers the Ethernet switch vendor and switch model number.
Jane finds the manual for the switch on the Internet and discovers that this particular model has mirror
port capability and remote management capability.
In other words, this switch can have an IP
address for remote management.
An Ethernet Switch can have an IP address?
Of course, many
network management tools communicate with Ethernet switches over TCP/IP to get a variety of
network monitoring information.
In this particular case, Jane figures out the IP address of the switch
(again, very easy but would lead us too far astray to go into).
Jane uses the application called Telnet and tries to telnet into the switch.
It works!
The network
administrator didn’t realize that this switch had network management capability and never setup a
password for it.
The switch was able to obtain an IP address automatically using DHCP and the
network administrator never knew! Using the user manual that Jane found on the web, she goes to the
open conference area with her laptop.
She resets all the packet counters on the switch. She then
floods the switch with a short burst of packets and checks the receive counters.
Using these counter
values, she determines which port on the switch is associated with the open conference area – Let’s
say port 5.
She uses the same technique, whenever someone uses the secured MFP, to determine the
MFP’s port number – Let’s say port 1.
She then uses Telnet to configure port 5 to be a Mirror port,
duplicating the packets to and from port 1. Now she is able to use Wireshark to capture networking
conversations to and from the MFP.
When she is done capturing packets, she moves to another open
conference room and deletes the mirror port configuration.
Too Easy: MITM Active Sniffing
Well, you may have read the last section and said: “This isn’t a problem for me because (1) all my
Ethernet switches are under lock and key, (2) These switches do not flood open, and (3) their network
management interfaces are secured.
Therefore, there is no longer any way for Jane to capture my
MFP’s data”.
Not True!
In this section, we are going to cover another way Jane could have captured
the data.
We will continue to use Wireshark and Ettercap.