Penetration Testing mailing list archives
Re: ARP Spoofing and Routing
From: Rafael San Miguel Carrasco <smcsoc () yahoo es>
Date: Sun, 02 Oct 2005 14:32:46 +0200
Remember that you may need to add a rule in iptables to avoid your TCP/IP stack generating ICMP_REDIRECT messages:
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A OUTPUT -p icmp --icmp-type redirect -j REJECT Greetings, Rafael San Miguel Carrasco Kyle Starkey wrote:
Folks.. I was on site yesterday at a client doing some pen-test type work and thought I might play around with some arpspoofing and see what I could gather. I ran into a couple of problem and thought you all might have the solution. What I was trying to do was arpspoof a server so that I could intercept any authentication requests that were made to it and grab passwds or hashes to find some user accts. I was using the Auditors Toolkit bootable CD and the arpspoof worked great. A tcpdump of the eth0 int when the spoof started showed that I was getting all the traffic that should have been destined for this server (hosts and server and myself were all in the same bcast seg btw). However I was not running any deamons (ftp, samba, telnet, etc) to answer these requests and as such was only seeing part of the conversation and couldn't complete the connection to get the full auth request. So what I need to know is how I go about sending packets that were destined for the server originally to the actual server after I have had my tcpdump/dsniff/etc doing the packet capture and filter. My ideas are as follows and I could use some responses about them or OTHER ways I can accomplish this... 1) routed routing traffic to the original host with a static ARP entry in my host for the server I am spoofing so I don't spoof myself 2) some kind of proxy server that will capture and forward traffic based on the dest addr of the packet and again a static arp entry for the host being spoofed so we don't spoof ourselves 3) load ftpd, samba, telnet, to answer these requests, even if we are denying auth people will still pass user credentials in an attempt to login,after the arpspoof has happened...4) some other already built tool that I have never heard of and should learn to use... If this makes no sense please feel free to flame me and call me an idiot, but its been a long week and the coffee aint helping... -K Kyle R. Starkey Senior Security Consultant CISSP # 31718 Siegeworks LLC Email: kstarkey () siegeworks comCell: 435-962-8986------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- ARP Spoofing and Routing Kyle Starkey (Oct 01)
- Re: ARP Spoofing and Routing fabien degouet (Oct 01)
- Re: ARP Spoofing and Routing Rafael San Miguel Carrasco (Oct 02)
- Re: ARP Spoofing and Routing caseytay (Oct 02)
- Re: ARP Spoofing and Routing Tim (Oct 03)
- Re: ARP Spoofing and Routing Times Enemy (Oct 05)
- Re: ARP Spoofing and Routing Cedric Blancher (Oct 05)
- Re: ARP Spoofing and Routing caseytay (Oct 02)
- <Possible follow-ups>
- RE: ARP Spoofing and Routing Payton, Zack (Oct 01)
- RE: ARP Spoofing and Routing Chayah Fox (Oct 03)
- RE: ARP Spoofing and Routing Michael Gargiullo (Oct 03)
- RE: ARP Spoofing and Routing Bartholomew, Brian J (Oct 05)