Re: Sniffable Switch Project

[Frédéric Raynal <frederic.raynal () inria fr>]

        Hello, 

On Tue, Jul 16, 2002 at 06:37:16AM -0400, alaric () alaricsecurity com wrote:
> If you decided to participate, please include all information about the
> switch(es) you tested (e.g. manufacture, model, managed or unmanaged, how many
> ports, firmware/OS version, etc.). Please also include what you tested for
> - ARP spoofing, MAC flooding, MAC duplicating, or the like -  and what the
> results were.


For an article recently published in a French magazine on security, I 
also work on something very similar. Our (our = the 3 authors) goal
was to
detail all what you can do with the protocol ARP. Of course, sniffing 
is one thing, but there are many more.

Another not so well known issue about ARP is the handling of messages
according to the OS. Some of them (some Windows, IOS 12, OpenBSD 3.0)
create new entries in their cache when they receive an reply (even
unsolicited) , while others do not (Linux for instance). Note that the
creation is the correct behavior according to the RFC.

So, there are in fact many thing to mention with ARP :
  - switches that fail open like hubs when they are flooded
  - OS that are RFC compliant
  - and so on for various attacks...

A short summary of the article is available on
http://www.arp-sk.org. We show that ARP is not only efficient for
sniffing, and that you can have really fun with that protocol.

arp-sk is a Swiss army knife for the handling of ARP messages based on
the latest libnet-1.1.0beta. Among cool features, you can notice :

  - complete control of all addresses either on Ethernet layer or ARP
    itself 
  - target assignment is made at Ethernet layer, but either with
    target's MAC or IP
  - complete control of the randomization of the 6 addresses (2 with
    Ethernet, 4 with ARP), i.e. you can set some addresses and
    randomize those you want
  - control the period of time for sending packets (from very slow to
    fury mode), and randomize the interval

Even if it is still under development, it is already functional.


Lastly, note that ARP messages can be used to detect promiscuous
cards on a network. To check a target, the trick is to send an ARP
query with all valid information in the ARP message, but with a fake
Ethernet destination address.

  Ethernet dst  FF:FF:FF:FF:FF:FE
  Ethernet src  <my Ethernet address>
  ARP mode      Who-has ?
  ARP dst eth   00:00:00:00:00:00
  ARP dst IP    <IP of the target>
  ARP src eth   <my Ethernet address>
  ARP src IP    <my IP>

If the target answers, it is very likely that it is in promiscuous
mode. 

I've also tested that solution with icmp echo-request (target was a
Linux-2.4), but that did not success. I had no time to investigate any
further but it used to work with kernel 2.2. I had no time to check if
this behavior came from the change of the kernel or from something
else.


Regards

--
Frederic RAYNAL, Ph.D.
http://minimum.inria.fr/~raynal
Chief Editor of M.I.S.C.
Multi-Systems & Internet Security Cookbook