Re: fooling hubs [ARP Spoofing]

[shawn.a.clifford () LMCO COM (Clifford, Shawn A)]

Hmmm... Road Runner must do something different on the Time Warner Cable
system here in Orlando, Florida.

First, the tech never installed the (crappy) software on my computer,
because I already had DHCP turned on and once I kicked the service it
grabbed an IP address just fine.  The tech told me the software sucks, so I
have never bothered to install it.

Two, I have a hub hanging off of the cable modem and I have two computers
DHCP'ing through the cable modem just fine.  They both run simultaneously.
One is NT the other is 98SE.  Throughput doesn't seem to be degraded on
either machine while doing "parallel" downloads.  And the addresses are in
the same broadcast domain, which happens to be a 9-bit broadcast mask (ie.
subnet mask = 255.255.254.0).  I've heard from someone else at my work that
he has a 7-bit broadcast mask (subnet = 255.255.255.128).  Weird.  Guess it
is a much smaller switch in his neighborhood.

So, the switches here, anyway, are configured and are capable of handling
multiple MAC addresses per port.

-- Shawn

> -----Original Message-----
> From: H D Moore [mailto:secure () SECUREAUSTIN COM]
> Sent: Monday, February 07, 2000 8:12 AM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: fooling hubs [ARP Spoofing]
>
>
> Hi,
>
> Road Runner uses the modem serial number in conjunction with special
> routing hard/software to determine your usage.  This means
> that you cant
> just snag someone elses MAC/IP because the switch know what serial
> number goes to which port.  How the switch recieves the
> serial number is
> unknown, I think it is done during the initial setup when the modem is
> being 'registered' by the tech that installs it.  Using a program like
> changemac just annoys thier admins, as it looks like you have multiple
> computers and are switching between them (a friend of mine
> works at the
> cable co and told me how they track usage/etc).
>
> If anyone knows something to the contrary or know what protocol the
> Motorola Waverunner modems use to register themselves (or about the
> switches used), please let me know!
>
> -HD
>
>
> Jeff Bachtel wrote:
> > Oddly enough, there was a post to misc () openbsd org from a
> guy who said
> > he found a way to treble his upload speed on his cable
> modem by proxy
> > arp'ing to the mac address of his cable modem.
> >
> > I don't know how well that would work with different
> providers, but if
> > someone hacks together a little windows utility to sniff out the arp
> > of the cable modem, and set windows to start proxying it
> > automatically, that would seem likely to regress cable
> modem back into
> > the good ol' (or bad ol') days of near-unlimited bandwidth.
> >
> > Does anyone know the likelihood of this actually working?
> >
> > jeff
> >
> > On Thu, Feb 03, 2000 at 10:05:34PM +0000, David aka SpanskA wrote:
> > > Hi,
> > >    I was looking at ARP spoofing postings for a while and
> I was wondering if
> > > it was possible to permanently fool some hubs or routers. My ISP
> > > (Cablevision) is using some kind of system to know how
> much I'm uploading
> > > and downloading.
> > >
> > > I succesfully did it one time with a little prog called
> "changemac". If you
> > > wanna look at it just go to packetstorm archive.
> Unfortunately, the last
> > > month I checked the data report I could see that my ISP
> was able to know
> > > (again!) how much I was downloading and uploading.
> > >
> > > Is this a bug with some kind of hardware or with ARP protocol?
> > >
> > >
> > > Sorry for my English mistakes...