Vulnerability Development mailing list archives

Re: MiM Simultaneous close attack

From: jaywhy <jaywhy2 () home com>
Date: Sat, 18 Aug 2001 13:20:36 -0400

I already send a message to vuln-dev about this. But I will explain your
scenario  more in depth.

                 internet
                    |
                 +--+-----+
                 | gateway|
                 +--+-----+
                    |MAC1(gg:gg)ip,gg.gg
                    |
                    |port3
          port1 +---+---+  port2
       +--------+switch +---------------------+
       |        +-------+                     |
   +---+-----+                            +---+---+
   |  Hub1   +--host c ip cc,cc           |  HUB2 |
   +-+-----+-+  mac cc:cc                 +---+---+
     |                                        |
   Host A(MAC2 aa:aa)              Host B(mac bb:bb)ip,bb.bb
  ip:aa.aa         

Lets say there is a host on hub2 that has the ip 10.0.0.3(Host B) and he
want to connect to a host with ip 10.0.0.2(Host A).

Host A wants connect to Host B telnet server or something like that.

Host A will send a broadcast out like this

Arp Broadcast who-has 10.0.0.3 tell (Host A mac address)

The message will be sent to the broadcast ff:ff:ff:ff:ff:ff ethernet
address.  The router recieves the broadcast and forwards it to all ports.
Everything connected to that router will receive the broadcast.  The router
how ever will not forward the broadcast out of that network it will simple
be dropped.  Although some misconfigured routers to forward broadcasts but
that is really doubtful.

Now host b will respond to the arp request with his mac address.

Arp reply (host A mac address) is-at (Host B mac address)

Since all ports connected to that router receive the broadcast nothing holds
Malicious computer Host M from responding as well.

Arp reply (host A mac address) is at (Host M Spoofing as Host B ip address)

Arpspoof does this for you.  It replies to the arp request even though it
not it's ip address requested, and it send back it's mac address as though
it were really host b.  Host A is in the dark, it has no clue Host B is
really Host M.  

Using arpspoof to spoof the address and you also use dsniff as a packet
sniffer.  Host M will act as a router between Host A and Host B using a
program called fragrouter it will forward the data between Host A and Host b
so the connection will not be dropped, and it will go undetected.


Host A --------> Host M(with fragrouter) -------> Host B
Host B --------> Host M(with fragrouter) -------> Host A

-- 
Jason Yates
jaywhy2 () home com

Current thread:

Re: MiM Simultaneous close attack, (continued)
- - - Re: MiM Simultaneous close attack Michael J. Cannon (Aug 17)
  - RE: MiM Simultaneous close attack David Schwartz (Aug 17)
  - RE: MiM Simultaneous close attack Dom De Vitto (Aug 17)
  - Re: MiM Simultaneous close attack Korhan Kaya (Aug 17)
- RE: MiM Simultaneous close attack big bon (Aug 17)
  - Re: MiM Simultaneous close attack Paul (Aug 18)
    - Re: MiM Simultaneous close attack Robert Freeman (Aug 18)
    - Re: MiM Simultaneous close attack Mauro Flores (Aug 21)
    - RE: MiM Simultaneous close attack Dom De Vitto (Aug 21)
    - Re: MiM Simultaneous close attack Jim Nanney (Aug 21)
    - Re: MiM Simultaneous close attack jaywhy (Aug 18)
    - Re: MiM Simultaneous close attack Paul (Aug 19)