Vulnerability Development mailing list archives
Re: More on ARP cache poisoning
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Wed, 2 Feb 2000 12:52:32 +0100
On Tue, Feb 01, 2000 at 04:35:35PM -0500, Clifford, Shawn A wrote:
I tried to see if it would be possible to poison the ARP cache of my machine (Solaris 2.6) so that it contained an Ether address of a local machine, but the IP address of a machine outside my network (prep.ai.mit.edu, for example).
I didn't work. Not with the 'poink' program nor with 'arp -s <host> <ether>'. The ARP cache in Solaris anyway is smart enough to not take entries for remote networks. Maybe someone else can try on Linux and other platforms. I will try under HP-sUX when I get a chance.
Well, I managed to get an external IP address into the ARP cache of a Linux 2.0.x and a 2.2.x system: ? (123.123.123.123) at 00:00:E8:73:C1:FA [ether] on eth0:1 But Linux seems to ignore this ARP entry when it sends out a packet on this interface. It chooses the correct gateway MAC address, as seen here: 08:53:16.623273 0:80:48:92:4:c5 0:c0:7b:7e:e7:4b ip 102: victim > 123.123.123.123: icmp: echo request
So, this pretty much makes moot hijacking the SETI download, etc. You can ony use the ARP poison to redirect connections _within_ or LAN.
Yea, this has been in use for like 3 years now, just grab hunt and ARP relay external connections by ARP spoofing the gateway. There is no problem with redirecting/relaying/denying any TCP connection within a switched/non-switched LAN when there are no static ARP entries. Just ARP spoof the gateway address into the victims cache and have ip forwarding enabled.
-- Shawn
ciao, scut / teso -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet -- -- you don't need a lot of people to be great, you need a few great to be -- -- the best ------------------------------------------------------------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 --- aquired Talon operating system source, awaiting orders, hi echelon -------
Current thread:
- More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Forrest W. Christian (Feb 01)
- Re: More on ARP cache poisoning Sebastian (Feb 02)
- Re: More on ARP cache poisoning Granquist, Lamont (Feb 03)
- Re: More on ARP cache poisoning ulan (Feb 02)
- <Possible follow-ups>
- Re: More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Mudge (Feb 03)
- no comment Michal Zalewski (Feb 02)
- Re: no comment Michal Zalewski (Feb 02)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Bryce Walter (Feb 02)
- Re: More on ARP cache poisoning Ron Parker (Feb 03)