Bugtraq mailing list archives

Re: Redir games with ARP and ICMP

From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Sat, 20 Sep 1997 07:42:33 -0400

Not only that but a switched network allows you to make purely
unicast address attacks that the monitoring station won't see as the
lan admin is himself switched from your packets...


It's a pretty stupid admin who counts on a station being able to sniff
attacks and then puts the monitoring station behind a switch.

Not that there aren't plenty of stupid admins out there, of course.
But I certainly know if _I_ were counting on my monitoring station
being able to snoop such things I'd make damn sure the switch forwarded
everything to it.  (All switches I've seen are capable of this.)

A filtering hub lets you perform this attack

        ping the two hosts you wish to snoop between.

        Using the mac address you learn via arp send both a unicast arp
        giving yourself as the answer for the other IP address.


"arp info for 0x11223344 overwritten by 01:02:03:04:05:06"

Not that anyone will necessarily notice, of course, but still.

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Current thread:

Re: Redir games with ARP and ICMP der Mouse (Sep 20)
- <Possible follow-ups>
- Re: Redir games with ARP and ICMP Olaf Seibert (Sep 23)
- Re: Redir games with ARP and ICMP Neil J Long (Sep 24)