Penetration Testing mailing list archives
Windows ignoring ethernet broadcasts destined to it
From: "Antonio \\\"KhaoticMind\\\" Augusto" <khaoticmind () gmail com>
Date: Mon, 7 Jan 2008 02:34:06 -0300
Hey guys, I've a small virtual lab here (Vmware on top of Kubuntu 7.10 running one WindowsXP (192.168.4.133) and another kubuntu 7.10 (192.168.4.128) ), and was playing with ARP poisoning. I was making some experiments sending some arp replies with source hardware address being FF:FF:FF:FF:FF:FF, and testing the communication with ping. Everything work as planed: when I poisoned the virtual Linux box, it would send the ICMP Requests to the right address (.133) using the broadcast ethernet address. Funny thing was that Windows was not responding to it. I tested the opposite case (Windows poisoned, sending requests to .128 at FF:FF:FF:FF:FF:FF) and the Linux box responded to it just fine (sending the reply to FF:FF:FF:FF:FF:FF)! I checked the virtual windows box with tcpdump and it is indeed receiving the packets. I tested the same scenario trying to telnet to port 135 on Windows host, with linux poisoned, and got the same results. It appears that windows will simply drop broadcast ethernet packets that aren't ARP requests... I tried looking on the net but couldn't find any docs saying this is intended behavior. And also why Linux respond to such packets? Is there any opportunity to an attack to a Linux box running in this way? There is a way to make Linux behave like windows? Hope i made myself clear... its 2:30AM and I'm starting to not feel my hands :) -- KhaoticMind "Things are like they are because that's how they are suposed to be." ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Windows ignoring ethernet broadcasts destined to it Antonio \"KhaoticMind\" Augusto (Jan 08)