Vulnerability Development mailing list archives
Re: More on ARP cache poisoning
From: brycewalter () HOTMAIL COM (Bryce Walter)
Date: Wed, 2 Feb 2000 14:29:33 GMT
For remote hosts, the computer is going to arp for the defualt gateway instead of the destination IP. If you poisoned the ARP cache for the entry of the default gateway, all packets for any remote computers would be sent to you. This would probably be noticed pretty quickly when nothing seems to "work" on the target computer. You could try to avoid this by enabling routing on your box to get the packets that you don't care about to their real desinations.
I tried to see if it would be possible to poison the ARP cache of my machine (Solaris 2.6) so that it contained an Ether address of a local machine, but the IP address of a machine outside my network (prep.ai.mit.edu, for example). I didn't work. Not with the 'poink' program nor with 'arp -s <host> <ether>'. The ARP cache in Solaris anyway is smart enough to not take entries for remote networks. Maybe someone else can try on Linux and other platforms. I will try under HP-sUX when I get a chance. So, this pretty much makes moot hijacking the SETI download, etc. You can ony use the ARP poison to redirect connections _within_ or LAN. If anybody finds a way around this, please post the solution. -- Shawn
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Forrest W. Christian (Feb 01)
- Re: More on ARP cache poisoning Sebastian (Feb 02)
- Re: More on ARP cache poisoning Granquist, Lamont (Feb 03)
- Re: More on ARP cache poisoning ulan (Feb 02)
- <Possible follow-ups>
- Re: More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Mudge (Feb 03)
- no comment Michal Zalewski (Feb 02)
- Re: no comment Michal Zalewski (Feb 02)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Bryce Walter (Feb 02)
- Re: More on ARP cache poisoning Ron Parker (Feb 03)