Re: More on ARP cache poisoning

[scut () NB IN-BERLIN DE (Sebastian)]

On Tue, Feb 01, 2000 at 04:35:35PM -0500, Clifford, Shawn A wrote:

> I tried to see if it would be possible to poison the ARP cache of my machine
> (Solaris 2.6) so that it contained an Ether address of a local machine, but
> the IP address of a machine outside my network (prep.ai.mit.edu, for
> example).

> I didn't work.  Not with the 'poink' program nor with 'arp -s <host>
> <ether>'.  The ARP cache in Solaris anyway is smart enough to not take
> entries for remote networks.  Maybe someone else can try on Linux and other
> platforms.  I will try under HP-sUX when I get a chance.

Well, I managed to get an external IP address into the ARP cache of a Linux
2.0.x and a 2.2.x system:

? (123.123.123.123) at 00:00:E8:73:C1:FA [ether] on eth0:1

But Linux seems to ignore this ARP entry when it sends out a packet on this
interface. It chooses the correct gateway MAC address, as seen here:

08:53:16.623273 0:80:48:92:4:c5 0:c0:7b:7e:e7:4b ip 102:
        victim > 123.123.123.123: icmp: echo request

> So, this pretty much makes moot hijacking the SETI download, etc.  You can
> ony use the ARP poison to redirect connections _within_ or LAN.

Yea, this has been in use for like 3 years now, just grab hunt and ARP relay
external connections by ARP spoofing the gateway. There is no problem with
redirecting/relaying/denying any TCP connection within a switched/non-switched
LAN when there are no static ARP entries. Just ARP spoof the gateway address
into the victims cache and have ip forwarding enabled.

> -- Shawn

ciao,
scut / teso

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet   --
-- you don't need a lot of people to be great, you need a few great to be  --
-- the best ------------------------------------------------------------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
--- aquired Talon operating system source, awaiting orders, hi echelon -------