Security Incidents mailing list archives

RE: A bit strange ARP queries

From: Paul Farrington <paul.farrington () goldmedal co uk>
Date: Fri, 16 Dec 2005 08:54:49 -0000

Yeh APR - Arp Poison Routing, used for Hijacking Traffic between two hosts.
Not exactly sure how the packets look but the basics of it are, that your
p.c responds to arp packets from for instance a host, and its gateway,
telling both of them that it's the host its looking for, the traffic is then
routed through your p.c as the host thinks you're the gateway, and the
gateway thinks you're the host.

Incidentally, depending on what your using, your p.c should then act as a
router, and route the traffic to the host and the gateway, with this
occurring all the traffic is passing through your box, and you can sniff the
traffic.

Ta

Paul

-----Original Message-----
From: Eygene A. Ryabinkin [mailto:rea () rea mbslab kiae ru] 
Sent: 15 December 2005 15:06
To: incidents () securityfocus com
Subject: A bit strange ARP queries

  Good day!

 Has anyone seen such ARP packets? I am a bit curious, because we have no
strange hardware that will set the target hardware address in the who-has
ARP packet. Are there any attacks that using such packets?
-----
15:29:59.908901 arp who-has the-host-in-question (4:c0:40:1:e0:df) tell
the-requester                                                             
15:30:00.911228 arp who-has the-host-in-question (57:43:50:10:40:0) tell
the-requester                                                            
15:30:01.912045 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:30:02.913314 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:30:03.915013 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:30:04.915854 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:30:25.962925 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:30:26.966171 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:30:26.991402 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:31:01.025945 arp who-has the-host-in-question (7:1c:c3:0:72:8c) tell
the-requester                                                             
15:31:01.040650 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:32:01.308911 arp who-has the-host-in-question (4:f9:50:10:ff:ff) tell
the-requester                                                            
15:32:01.319515 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:33:01.448065 arp who-has the-host-in-question (0:b0:2:0:25:f) tell
the-requester                                                               
15:33:02.448924 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:33:02.573582 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:34:00.568785 arp who-has the-host-in-question (0:b0:2:0:25:f) tell
the-requester                                                               
15:34:01.569537 arp who-has the-host-in-question (2e:2f:30:31:32:33) tell
the-requester                                                           
15:34:01.625362 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:35:00.836038 arp who-has the-host-in-question (0:0:1f:0:a:c7) tell
the-requester                                                               
15:35:00.956094 arp reply the-host-in-question is-at 0:d:88:e6:db:dc

15:36:12.412916 arp who-has the-host-in-question (94:eb:ed:1a:71:fb) tell
the-requester                                                           
15:36:12.423227 arp reply the-host-in-question is-at 0:d:88:e6:db:dc
-----
 'the-host-in-question' and 'the-requester' are, of course, IP addresses.

  Thanks!
-- 
 rea

BOFH excuse #158:
Defunct processes

********************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. If you have received this email in error please notify 
postmaster () goldmedal co uk

This footnote also confirms that this email message has been swept by 
MIMEsweeper 5.1 for the presence of computer threats.

www.clearswift.com 
**********************************************************************

Current thread:

A bit strange ARP queries Eygene A. Ryabinkin (Dec 15)
- Re: A bit strange ARP queries incidents (Dec 17)
- RE: A bit strange ARP queries Jason Burton (Dec 17)
- Re: A bit strange ARP queries wayne dawson (Dec 17)
  - Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
    - RE: A bit strange ARP queries Craig Skelton (Dec 17)
    - RE: A bit strange ARP queries Jeroen van Meeuwen (Dec 17)
  - Re: A bit strange ARP queries Samuel R. Baskinger (Dec 21)
- Re: A bit strange ARP queries Tillmann Werner (Dec 17)
  - Re: A bit strange ARP queries Jeff Kell (Dec 17)
- <Possible follow-ups>
- RE: A bit strange ARP queries Paul Farrington (Dec 17)
- RE: A bit strange ARP queries Dave Hawkins (Dec 19)
- RE: A bit strange ARP queries Koike, Rafael Marcelino (Dec 22)
  - Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 22)