From the perspective of keeping my network secure, I'm curious about the ins and outs of ARP poisoning & how that (or perhaps something else I'm not thinking of) can be used to imitate another computer. I'm fully aware of being able to poison the ARP table to imitate a computer on the same subnet. Beyond that is where my knowledge gets fuzzy. My understanding is that someone would not be able to imitate (via MiTM) a computer on another subnet because once the traffic gets to the router, MAC address info would be stripped off. First, is that complete and accurate information? And second, is there still a way to act as a computer on another subnet somehow, or at least set up a TAP to that computer, by spoofing the gateway perhaps? I'm talking as a rogue client on the network, not a network admin who could obviously set up a TAP if they wanted to. I've tried to figure out in my head if that would work because if you gave yourself the MAC of the gateway, how would you, yourself, forward that traffic on, or even get traffic back since the device(s) a hop away would be connected to the gateway so therefore the response traffic wouldn't get to your MiTM computer, right? Lastly, how would trunk ports enter into the mix? Could you pose as a computer on another trunked subnet somehow if you're on a trunk port or does the "gateway stripping the necessary information" rule still apply?
Some of the answers I'll get back will undoubtedly get a "duh" to myself once I see it, but I'm thinking out loud and trying to not make my brain hurt by thinking about all angles of this at once, and hoping people with better applied knowledge of this scenario can just rattle off the answers to me. (Thanks)
Bottom line, is I want to know the capabilities of a client being able to intercept traffic to, or somehow act as, a computer on another subnet/VLAN and either what would go into that, or if that's totally not doable due to how L3 works.
No comments:
Post a Comment