Re: Hijack IP Address using cable modem

[Patrick Maartense <patrick () PATRICK AT>]

do it different

preconfigure your system to have these IPs as well
ifconfig eth0:0 .... bla bla

next time the ARP comes. (make it come by pining the addres from a different system in another net)
OH Yeah.....

That way I took 4 class C's as proof of concept ( my 2.4.2 Linux Fw with 128M of mem started to choke because of the 
firewall tables)

The ISP therefor was not that happy ....




heres a snip from my subnet and they are guilty of this as i have known this
for a while:

[root@dsbelile /root]# tcpdump -i eth0 -vv -p arp -l > /tmp/media_sniff &
tail -f /tmp/media_sniff
[1] 4461
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on eth0
09:00:51.413545 B arp who-has 24.128.143.7 tell bvubr01.ne.mediaone.net
09:00:56.420043 > arp who-has bvubr01.ne.mediaone.net tell
dsbelile.ne.mediaone.net (0:10:4b:6a:b2:15)
09:00:56.426959 < arp reply bvubr01.ne.mediaone.net is-at 0:b0:8e:f5:18:70
(0:10:4b:6a:b2:15)

and bvubr01.ne.mediaone.net is the gateway / router for this subnet.

[root@scavenger /root]# nslookup bvubr01.ne.mediaone.net
Server:  dns.corp.skillsoft.com
Address:  10.0.2.78

Non-authoritative answer:
Name:    bvubr01.ne.mediaone.net
Addresses:  24.128.8.240, 24.128.142.1

[root@scavenger /root]#

also if you use ettercap ( either version ) or manually useing hunt and try
any type of MITM attack useing the gateway and another machine on the subnet
the entire subnet goes to crap.
and it seams to me the router took a ARP flood and stopped resonding. im not
positive but i think they are a form of cisco router.
anyone have any ideas about this ?

would love to hear and real good explanations.

-D