Re: MiM Simultaneous close attack

["Paul" <paulbugtraq () 263 net>]

----- Original Message ----- 
From: "jaywhy" <jaywhy2 () home com>
To: "Paul" <paulbugtraq () 263 net>; <vuln-dev () securityfocus com>
Sent: Sunday, August 19, 2001 1:20 AM
Subject: Re: MiM Simultaneous close attack
Thank you.
This is not what i want.I wanna get the packets between the gateway and other hosts connected to the other hub.
What you said is right.I have succeeded in this.But in this way,I failed to fake the gateway's MAC.
The reasons are:( i am on the host A in the following illustration)
1.I send arp request arp who is at cc.cc tell  gg.gg(mac:aa:aa)
2.Host B sends arp reply arp cc.cc is at cc:cc and put(or update) the entry gg.gg->aa:aa in its arp cache.
3.In my campus,It's free to visit Internet,so the gateway is very busy.
4.The gateway frequently sends arp request like arp request who is at xx.xx tell gg.gg(mac:gg:gg).Because
 arp request is broadcasted,Host B can get this arp request.
5.Remember many os feature that if he receive a arp request whose src mac or src ip presents in its cache,It will use 
the
  map src ip->src mac of the arp request it just received.
6.So the gateway's mac in Host B's cache will alternate between the fake(aa:aa) and the correct one(gg:gg).I have seen 
the phenomena in host B(win me) with arp -a.


Regards.
Paul

 







> I already send a message to vuln-dev about this. But I will explain your
> scenario  more in depth.
>
>                  internet
>                     |
>                  +--+-----+
>                  | gateway|
>                  +--+-----+
>                     |MAC1(gg:gg)ip,gg.gg
>                     |
>                     |port3
>           port1 +---+---+  port2
>        +--------+switch +---------------------+
>        |        +-------+                     |
>    +---+-----+                            +---+---+
>    |  Hub1   +--host c ip cc,cc           |  HUB2 |
>    +-+-----+-+  mac cc:cc                 +---+---+
>      |                                        |
>    Host A(MAC2 aa:aa)              Host B(mac bb:bb)ip,bb.bb
>   ip:aa.aa         
>
> Lets say there is a host on hub2 that has the ip 10.0.0.3(Host B) and he
> want to connect to a host with ip 10.0.0.2(Host A).
>
> Host A wants connect to Host B telnet server or something like that.
>
> Host A will send a broadcast out like this
>
> Arp Broadcast who-has 10.0.0.3 tell (Host A mac address)
>
> The message will be sent to the broadcast ff:ff:ff:ff:ff:ff ethernet
> address.  The router recieves the broadcast and forwards it to all ports.
> Everything connected to that router will receive the broadcast.  The router
> how ever will not forward the broadcast out of that network it will simple
> be dropped.  Although some misconfigured routers to forward broadcasts but
> that is really doubtful.
>
> Now host b will respond to the arp request with his mac address.
>
> Arp reply (host A mac address) is-at (Host B mac address)
>
> Since all ports connected to that router receive the broadcast nothing holds
> Malicious computer Host M from responding as well.
>
> Arp reply (host A mac address) is at (Host M Spoofing as Host B ip address)
>
> Arpspoof does this for you.  It replies to the arp request even though it
> not it's ip address requested, and it send back it's mac address as though
> it were really host b.  Host A is in the dark, it has no clue Host B is
> really Host M.  
>
> Using arpspoof to spoof the address and you also use dsniff as a packet
> sniffer.  Host M will act as a router between Host A and Host B using a
> program called fragrouter it will forward the data between Host A and Host b
> so the connection will not be dropped, and it will go undetected.
>
>
> Host A --------> Host M(with fragrouter) -------> Host B
> Host B --------> Host M(with fragrouter) -------> Host A
>
> -- 
> Jason Yates
> jaywhy2 () home com