Hubs not secure!!

kenny504 · May 2007

Hubs are not secure because basically any information destined to any host connected to the hub is actually broadcasted on everybody's wire. So with the right tool any host can "sniff" data even if it's not intented for them. The intended destination answers though. Right??

Well, lets see I know there's a way to capture packet or maybe even raw data from this insecure means of transmission. Anybody know of any good programs out there that one can use to exploit this characteristic of these insecure network devices and capture data???

Not ethereal

Slowhand · May 2007

Are you trying to emulate the hubs, or sniff for packets? I'm a little confused by your question. If you just want a program to sniff for packets on a single collision domain (sometimes more), I'd say use Snort, or as you mentioned, WireShark/Etheral. . . hell, you can even use Windows Network Monitor. If you're looking for tools that will emulate the effects of having a layer 1 device where you currently have a layer 2 device, I can't help you. My suggestion would be to pick up a hub at CompUSA or BestBuy and test your sniffers on the real deal, which will probably be less of a hassle and give you better results than trying to configure some emulation software. Aside from probably being easier to configure, the actual hardware won't give you false positives, where an emulator may or may not perform the way you want it to unless you set it up exactly right and there are no bugs in the software.

kenny504 · May 2007

Thanks alot buddy i have heard of snort I'll try it now. yeah i edited the question i really meant a good sniffer.

Slowhand · May 2007

A good place for free tools in general, is SourceForge, and I'm sure you can find all kinds of sniffers and network scanning utilities in the network monitoring section.

sprkymrk · May 2007

Slowhand wrote:

you can even use Windows Network Monitor.

The free version of netmonitor only sniffs packets originated from or destined to the host on which it is running. You probably knew but I thought I would mention it anyway.

TCPDump/WinDump are also free, but on Windows boxes you need to install the libpcap driver first.

Slowhand · May 2007

sprkymrk wrote:

Slowhand wrote:

The free version of netmonitor only sniffs packets originated from or destined to the host on which it is running. You probably knew but I thought I would mention it anyway.

I'd actually forgotten that it was only able to pick up traffic on its own NIC, (the free version, at least). Still, it should be able to analyze traffic that's being sent over a hub, since it's one big collision domain. You're right, though, TCPDump/WinDump is a good way to go.

seuss_ssues · May 2007

kenny504 wrote:

Thanks alot buddy i have heard of snort I'll try it now. yeah i edited the question i really meant a good sniffer.

Im not really one to come on here and disagree with people, but you might take another look at ethereal/wireshark. It is one of the best sniffers out there.

http://sectools.org/ <

It was listed as #2 on the top 100 security tools of 2006. The survey was answered by 3,243 hackers/security professionals through insecure's nmap-hacker's mailing list.

edit
Additionally snort is a full fledged IDS. It would be more of a hassle to use if you are only trying to sniff traffic.

sprkymrk · May 2007

Slowhand wrote:

sprkymrk wrote:

Slowhand wrote:

The free version of netmonitor only sniffs packets originated from or destined to the host on which it is running. You probably knew but I thought I would mention it anyway.

I'd actually forgotten that it was only able to pick up traffic on its own NIC, (the free version, at least). Still, it should be able to analyze traffic that's being sent over a hub, since it's one big collision domain.

Unfortunately, collision domain or not, it only shows you packets that originated on your host, or packets that have your host as the destination address. Nice of MS to make a nice tool and then castrate it, huh?

Slowhand · May 2007

sprkymrk wrote:

Unfortunately, collision domain or not, it only shows you packets that originated on your host, or packets that have your host as the destination address. Nice of MS to make a nice tool and then castrate it, huh?

That's because Microsoft loves us. . . the way a kid with a magnifying glass loves ants.

sprkymrk · May 2007

Slowhand wrote:

sprkymrk wrote:

Unfortunately, collision domain or not, it only shows you packets that originated on your host, or packets that have your host as the destination address. Nice of MS to make a nice tool and then castrate it, huh?

That's because Microsoft loves us. . . the way a kid with a magnifying glass loves ants.

On a related note, I just saw that MS released Netmonitor version 3.1, compatible with Vista and wireless.

keatron · May 2007

seuss_ssues wrote:

kenny504 wrote:

Thanks alot buddy i have heard of snort I'll try it now. yeah i edited the question i really meant a good sniffer.

Im not really one to come on here and disagree with people, but you might take another look at ethereal/wireshark. It is one of the best sniffers out there.

http://sectools.org/ <
It was listed as #2 on the top 100 security tools of 2006. The survey was answered by 3,243 hackers/security professionals through insecure's nmap-hacker's mailing list.
edit
Additionally snort is a full fledged IDS. It would be more of a hassle to use if you are only trying to sniff traffic.

Snort is only a full fledged IDS if you configure it to be one. In most flavors you have three modes. IDS, Logging, and yes...Sniffer mode.

You might also want to look at Ettercap as well. It gives you "most" of the same sniffing capabilities on a switched network that you would have on a single collision domain based network. Also if you're interested in security, it will get you interested in things such as Arp Spoofing and the like (since it includes this functionality).

Hubs not secure!!

Comments