Vulnerability Development mailing list archives
ARP hole in Windows NT/2000
From: Grzegorz Flak <Grzegorz.Flak () comarch pl>
Date: Thu, 22 Nov 2001 19:45:25 +0100
Hi,I am not sure, if it is something new, but I think I found serious vulnerability in ARP implementation in WindowsNT/2000 (I checked it on NT4 SP6 and Win2000 SP1). The problem is when somebody whant to use "man in the middle" technik to evesdrop your traffic. This example was done with ettercap. To fill protect I use 'arp -s' to specify correct MAC for default geteway. So I had :
10.10.1.4 00-b0-64-49-1e-01 staticthen I use ettercap to capture my traffic to the gateway. Ofcourse I could see my POP3 pass ;) Then I checked arp table once again:
10.10.1.4 00-01-02-23-85-e1 staticThe MAC is different (this is MAC of my linux box). I checked the same on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable. Is this already known vulnerabilty (I found indication of similar weakness, but that was on Windows 9x).
Any suggestions how to get rid off that. Reagards
Current thread:
- ARP hole in Windows NT/2000 Grzegorz Flak (Nov 22)
- Re: ARP hole in Windows NT/2000 Tomas Nybrand IT (Nov 23)
- Re: ARP hole in Windows NT/2000 Gigi Sullivan (Nov 24)
- Re: ARP hole in Windows NT/2000 Keith Simonsen (Nov 24)
- RE: ARP hole in Windows NT/2000 Grzegorz Flak (Nov 24)
- RE: ARP hole in Windows NT/2000 Chris (Nov 24)
- Re: ARP hole in Windows NT/2000 ALoR (Nov 25)
- Re: ARP hole in Windows NT/2000 Nelson Brito (Nov 24)
- Re: ARP hole in Windows NT/2000 Chris Green (Nov 23)
- Re: ARP hole in Windows NT/2000 Tomas Nybrand IT (Nov 23)