Penetration Testing mailing list archives

Re: Layer 2 arp snooping without Layer 3?

From: Cedric Blancher <blancher () cartel-securite fr>
Date: Thu, 25 Oct 2007 19:35:10 +0200

Le jeudi 25 octobre 2007 à 10:44 +0300, Nikolaj a écrit :

Well you could poison one's cache but without you having an ip address 
it will be pointless. [...] and the kernel will most likely discard 
it). I think this is what will happen.


Not necessarily.
You can sniff traffic and send it back to userland applications using a
mechanism such as tuntap. On Linux, you can use ebtables framework to
route traffic back to IP stack, then Netfilter to another local IP
address.
You just have to send it somewhere you have an IP address, but it does
not have to be on the link you're sending your ARP cahce poisoning.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Layer 2 arp snooping without Layer 3? offset (Oct 24)
- Re: Layer 2 arp snooping without Layer 3? Nikolaj (Oct 25)
  - Re: Layer 2 arp snooping without Layer 3? Tim (Oct 25)
    - Re: Layer 2 arp snooping without Layer 3? Nikolaj (Oct 25)
    - Re: Layer 2 arp snooping without Layer 3? offset (Oct 25)
    - Re: Layer 2 arp snooping without Layer 3? Tim (Oct 25)
  - Re: Layer 2 arp snooping without Layer 3? Cedric Blancher (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Cedric Blancher (Oct 25)
- <Possible follow-ups>
- Re: Layer 2 arp snooping without Layer 3? hackman (Oct 25)