
			      P A R A S I T E

                      (c) 2000,2001 by van Hauser / THC
	   <vh@reptile.rug.ac.be> http://www.thehackerschoice.com


INTRODUCTION
------------
Have you ever sniffed on a switch? Without special tools you will see
no (no thats not true, but lets simplify that statement) which is not
destined for your machine. This gives you 3 options to do to be able to
sniff on the LAN.
	1) ARP Spoofing
	2) MAC Flooding
	3) MAC duplicating
	4) Routing attacks
	5) hook your laptop to the uplink trunk
1+2+3 are possible with this tool
3 you can also do with any linux/solaris/etc. via the ifconfig command
4 I know no good tools for this (except icmp_redir)
5 needs physical access to the switch component.

For 2, there are already a few tools available, the best is the one by Dug
Song as part of dsniff. See http://www.monkey.org/~dugsong/
For 1, you will only find tools which send fake ARP packets to defined
single machines. This is not effective if you want to sniff the whole LAN.
Thats what this tool is for, bypass the basic switch security to be able to
see all traffic on the LAN.

With this tool you can NOT sniff on a different VLAN on the same switch!
There are other ways to do this ... ;-)

See the INSTALL file for installation information and limitations!


LEGAL STUFF
-----------
You might think this tool is evil. Dug Song looked funny at me when I told
him that I have a legal purpose for this tool :-) [I really have!]
Be aware that through sniffing - even in your own company and you are the
administrator - it might be illegal, either by law or by company policy.
You may use this tool for legal purposes only!
The LICENCE for this tools is the GNU Licence v2.


HOW DOES A SWITCH WORK
----------------------
A switch learns through the traffic it sees on it's ports all MAC addresses.
Therefore it just sends traffic out of a port which is known to have the MAC
address a data packet is destined for.
However this was never to be thought as a security feature. It improves
performance, because it disables the collision domain and (with a faster
uplink) expands the available bandwith for the end-user machines.


HOW TO BE ABLE TO SNIFF ON A SWITCH
-----------------------------------
Basically there are several possiblities.
 1) do ARP Spoofing
   Thats how the Ethernet/IP Protocol works: you want to know which machine
   has got the IP address you want on the LAN, and you send an ARP Request
   packet to the network which everyone sees, and the machine which has the
   IP address will send you an ARP Reply packet with it's MAC address, so
   your computer knows to which MAC address to send the data.
   ARP Spoofing works by sending fake ARP Reply packets to a machine, so
   the data is sent to the attackers MAC address.
   Several tools out there just send ARP Reply packets to special defined
   machines. This is very limiting and does not work for all target platforms.
   This tool listens to the LAN for ARP Requests and then sends fake ARP
   Replys. This will give you a good chance to sniff to all packets on the
   LAN. Just run it like this: "parasite eth0"

 2) MAC Flooding
   A Switch only has got limited memory for the MAC data. Once the memory
   for that is depleted, it can't know anymore which port has got which MAC
   addresses, so it turns into a HUB and sends all traffic to all ports.
   To additionally activate the flooding engine of parasite, type
   "parasite -F eth0"

 3) MAC Duplicating
   You just duplicate an existing MAC address of a machine you want to see
   the traffic for.
   Can be done by "ifconfig eth0 down
                   ifconfig eth0 hw ether 01:01:01:01:01:01
                   ifconfig eth0 up"
   or by "parasite -m 01:01:01:01:01:01 eth0"

 4) Routing attacks
   You subvert the routing information of the targets so they send non local
   traffic to you. You can do this by running a routing daemon yourself or
   by using a tool like icmp_redir to fake ICMP Redirect packets.

 5) hook your laptop to the uplink trunk
   An uplink Switch receives all traffic from a switch. Connect your
   FastEthernet Card to the uplink trunk and have fun.


SWITCH SECURITY
---------------
Of course there are ways to prevent these attacks:
 1) Configure IP Filters on the switch ports. Only very few switches can do
    this. Alternativly, you can hard set all IP <-> MAC addresses on each
    machine via /etc/ethers or arp -s IP MAC ...
 2) Enable PORT SECURITY on all switch ports. This allows only one MAC on
    one port, and the MAC can only be changed by the switch admin.
 3) Enable PORT Security (not all switches allow this attack to work)
 4) Dont run a routing protocol on workstations - only on routers! and
    password protect the protocol and hardcode your peers.
 5) Physically secure your switches.
Additionally you should ensure that no one can overtake the switch, so don't
use telnet and SNMP! Allow only local configuration or a Terminalserver with
SSH, SSLTelnet, etc.
And remember to send all important switch logs to your secure central loghost.


MORE STUFF
----------
Parasite has got some more interesting option, e.g. two for network DOS
attacks (-D and -R options). Type "parasite -h" to see the options available.


BLA
---
Ideas, comments, bug reports? Send me email.
    van Hauser / THC <vh@reptile.rug.ac.be>
    http://www.thehackerschoice.com
