Vulnerability Development mailing list archives
Re: More on ARP cache poisoning
From: ron () GWMICRO COM (Ron Parker)
Date: Thu, 3 Feb 2000 11:06:45 -0500
At 02:29 PM 2/2/2000 GMT, Bryce Walter wrote:
For remote hosts, the computer is going to arp for the defualt gateway instead of the destination IP. If you poisoned the ARP cache for the entry of the default gateway, all packets for any remote computers would be sent to you. This would probably be noticed pretty quickly when nothing seems to "work" on the target computer. You could try to avoid this by enabling routing on your box to get the packets that you don't care about to their real desinations.
Having just fallen victim to the bad router configuration of a clueless "administrator" who happens to have the same DSL provider as I do, I can testify that the similar but slightly different attack outlined in http://www.l0pht.com/advisories/rdp.txt will work quite well, too, at least against Win98 boxes. It may even work without DHCP being enabled on the target machine, as I don't believe it is enabled on the machine on which I saw the bad behavior. My DSL provider (GTE) uses Fujitsu Speedport modems and other hardware; your mileage may vary. -- Ron Parker GW Micro, Inc. Voice 219-489-3671 Fax 219-489-2608
Current thread:
- Re: More on ARP cache poisoning, (continued)
- Re: More on ARP cache poisoning Forrest W. Christian (Feb 01)
- Re: More on ARP cache poisoning Sebastian (Feb 02)
- Re: More on ARP cache poisoning Granquist, Lamont (Feb 03)
- Re: More on ARP cache poisoning ulan (Feb 02)
- Re: More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Mudge (Feb 03)
- no comment Michal Zalewski (Feb 02)
- Re: no comment Michal Zalewski (Feb 02)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Bryce Walter (Feb 02)
- Re: More on ARP cache poisoning Ron Parker (Feb 03)