Sooo..
There was this talk at this year's DEFCON talking about attacks which can occur at Layer 2 of the OSI model. This will without a doubt go down as probably the worst talk in the history of any Security Conference. Not to really bust on the guys giving the talk as they appeared to know the content of there talk very well..the problem was just that; the content of there talk.
These guys talked about different attacks against VLANs, which as cool as it is...is not a reality anymore! Any network administrator worth a sack of poop would not have a network succeptible to any type of VLAN hopping attack. The true threat in Layer 2 clearly lies within ARP.
Now, I'm not saying that ARP poisoning is the be all end all...but what I'm saying is that in 90% of networks I look at, ARP poisoning can be accomplished with great ease and minimal detection. The fact of the matter is that nobody is implementing static ARP entries for there gateway, and we know that it is rare for anyone to monitor internal traffic. In fact on my most recent pentest I went back to the old school well and decided to poison the ARP tables within the management subnet I sat on. Not only did it go unnoticed, but I managed to man in the middle a password hash for the domain admin acct. crossing the network.
The scary thing about this is that even if they did detect the bogus ARP traffic i was spewing across my subnet and blocked my IP or even launched a forensic investigation against me, they would have no idea that I had the hash for the domain admin. Rock a little Pass the Hash, and it's game over...they would never detect me!
So, if you decide you wanna have a little old school fun, fire up Ettercap....grab a few beers...and reminisce about the good ol' days!!!!!
