Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: unswitched behavior of a switched network...

from [Buz Dale] Network Security [Permanent Link]
Subject: Re: unswitched behavior of a switched network...
Date: Mon, 16 Oct 2006 15:55:43 -0400 
I can think if a couple of possibilities.  1) This is
broadcast/multicast traffic. 2) The mac addresses are unknown to the
switch (So it will flood to find them.) 3) The port could be a trunk or
a mirror of a trunk.

Buz


Krugger wrote:

On 10/13/06, Jon Hart <jhart@spoofed.org> wrote:

Greetings,

I've got a situation here that I can't quite figure out.  It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table.  There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.

While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:

   "Content-addressable memory (CAM) overflow: A CAM table is used to
   determine where to direct incoming frames depending on which port the
   incoming MAC address came from. When the CAM receives a frame with an
   unknown destination, the proper procedure is to flood frames within
   the acceptable Layer 2 domain (the proper VLAN). Hardware and
   software tools are available (some for free), that can flood a switch
   with MAC addresses. Once the CAM table limit is exceeded, switches
   behave differently depending on the brand of the switch."

My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring?  Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?

Thanks,

-jon


Some router have an option of dumping all traffic to a give port, so
if you are connected to the right router port you will see everything
as if it was a hub. At least I already saw a router configured that
way, that port that was connected to a computer that was dedicated to
run snort.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW

------------------------------------------------------------------------



-- 
----
Buz Dale                                buz.dale@usg.edu
IT Security Specialist              1-888-875-3697
Office of Information and Instructional Technology
University System of Georgia

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: unswitched behavior of a switched network..., Ron
Next by Date:  Re: unswitched behavior of a switched network..., Nicob
Previous by Thread:  Re: unswitched behavior of a switched network..., David Swafford
Next by Thread:  Re: unswitched behavior of a switched network..., Jon Hart
Indexes:  [Date] [Thread] [Top] [All Lists]