Penetration Testing mailing list archives
Re: Layer 2 arp snooping without Layer 3?
From: offset <offset () ubersecurity org>
Date: Thu, 25 Oct 2007 15:27:04 -0500
On Thu, Oct 25, 2007 at 12:36:49PM -0400, Tim wrote:
Hello,Well you could poison one's cache but without you having an ip address it will be pointless. Arp is used to map l2 to l3. So if you send rogueActually... isn't it supposed to map L3 to L2? This is probably an important distinction here.packets saying that mac 11:22:33:44:55:66 is on your ip address without you having one the hosts will start sending packets to the rogue ip address ( that should be yours) and because you don't have it setup the traffic will go to /dev/null ( the switches will forward it to you nic but you won't have an ip address and the kernel will most likely discard it). I think this is what will happen. And ARP is designed to find an address based on another one.If we falsely advertize that a given IP address maps to our NIC address, then the switch should send those packets to that NIC regardless of whether or not we have an IP, right? Sure, the kernel will discard those packets but that shouldn't matter if we're listening on the raw device in promiscuous mode. So, in theory it should be possible, though please correct me if my understanding is flawed.
I can arp poison another system without having an IP address bound to a NIC, so I know this is possible, I can only successfully do mitm with L3 (thus far) using IP forwarding. Brainstorming ideas for mitm using only L2 without ever having an IP address bound to a NIC to further avoid detection.
Now the applicable questions are: Does Linux lets you go into promiscuous mode while you're bridging? Does Linux let you send false ARP packets on an interface that's bridging? The former question I would guess is a yes. If not, you could at a minimum use iptables in bridging mode to redirect some packets to some place where you can more easily sniff them. The latter question I'm not sure on, but even if there were a kernel limitation on that, you could poison the switch from another interface or system.
My goal with L2 is to have victim frames coming to my machine, view the packets (ie. tcpdump, etc), but have the frames sent back out to the real gateway to avoid a DoS situation against the victim. L3 does this for you via IP forwarding, L2 is another matter. -- offset ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Layer 2 arp snooping without Layer 3? offset (Oct 24)
- Re: Layer 2 arp snooping without Layer 3? Nikolaj (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Tim (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Nikolaj (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? offset (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Tim (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Tim (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Cedric Blancher (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Nikolaj (Oct 25)
- Re: Layer 2 arp snooping without Layer 3? Cedric Blancher (Oct 25)
- <Possible follow-ups>
- Re: Layer 2 arp snooping without Layer 3? hackman (Oct 25)