Penetration Testing mailing list archives

Re: [PEN-TEST] Arp Spoofing under WinNT 4.0

From: Wojciech Dworakowski <wojtekd () aba krakow pl>
Date: Thu, 1 Feb 2001 11:41:06 +0100

On Wed, Jan 31, 2001 at 12:41:47PM +0100, Fabio Pietrosanti wrote:

Hi,

I'm doing a pen test, and i got access to an NT server on which i would
like to place a sniffer.

I've tried buttsniff and then Dsniff using WinPcap, but i notice that they
are on a switched network, so i  have two solutions:

1) Flood the switch of random mac address so his table will'be filled and
   the switch will operate in bride mode
2) do arp spoofing so i could intercept all packet destinated to the host
   of which traffic i need to sniff.

On unix there are many tools, but on WinNT 4.0 with WinPcap there are some
tools for "arp spoofing" ?


You can spoof arp table on Windows NT (actualy on any system) using other
machine (eg. with Linux).
Just send to it ethernet frames with spoofed MAC address in SRC field.

Recently I had some presentations about it. I was able to intercept example
telnet session between NT and Linux in switched environment (3Com and HP
switches) using hunt on other Linux machine.
This is classical spoof attack, using man-in-the-middle technique.

Check out hunt documentation for full description.
--
____
Wojtek Dworakowski - wojtekd () aba krakow pl
          ABA - www.aba.krakow.pl
Kryptografia i ochrona informacji: http://www.ipsec.pl

Current thread:

Re: [PEN-TEST] Arp Spoofing under WinNT 4.0 Frank Knobbe (Jan 31)
- <Possible follow-ups>
- Re: [PEN-TEST] Arp Spoofing under WinNT 4.0 Cleary, Tom (Jan 31)
- Re: [PEN-TEST] Arp Spoofing under WinNT 4.0 Wojciech Dworakowski (Feb 01)
- Re: [PEN-TEST] Arp Spoofing under WinNT 4.0 y0ni (Feb 01)