Vulnerability Development mailing list archives

Re: Hijack IP Address using cable modem

From: cdowns <cdowns () SKILLSOFT COM>
Date: Wed, 28 Mar 2001 09:32:40 -0500

Patrick Maartense wrote:

DISCLAIMER
A large cablenetwork company has been informed of this MISBEHAVIOUR and
threatened to disconnect me. they would not think of a proper sollution :

Purpose: A Hackers dream, work from your won PC with IP Addresses someone
else owns:

In short, Occupy IP Addresses someone else normally owns.
Normal Broadband Cable networks either give out DHCP Addresses or a Fix
Address or Address range.

When doing a SNIF on the outbound iface a proper designed network should
not broadcast ARP request not meant for the network on that end of the
CableModem.

Some Networks However are Weak Configurred and broadcast ARP for the
entire shared medium through all Cable Modems attached to that Network.

A smart hacker would setup the outbound iface to reply to all ARP requests
it gets, therefor being able to take any IP Address that is broadcasted
for.

This makes folliwng possible:

Dos.
Hacking using Outhers  Addresses
Not to mention all other fun...

any Comments on this ?

--
---
Kind Regards
Patrick Maartense (using Pine on a Text Console)


heres a snip from my subnet and they are guilty of this as i have known this
for a while:

[root@dsbelile /root]# tcpdump -i eth0 -vv -p arp -l > /tmp/media_sniff &
tail -f /tmp/media_sniff
[1] 4461
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on eth0
09:00:51.413545 B arp who-has 24.128.143.7 tell bvubr01.ne.mediaone.net
09:00:56.420043 > arp who-has bvubr01.ne.mediaone.net tell
dsbelile.ne.mediaone.net (0:10:4b:6a:b2:15)
09:00:56.426959 < arp reply bvubr01.ne.mediaone.net is-at 0:b0:8e:f5:18:70
(0:10:4b:6a:b2:15)

and bvubr01.ne.mediaone.net is the gateway / router for this subnet.

[root@scavenger /root]# nslookup bvubr01.ne.mediaone.net
Server:  dns.corp.skillsoft.com
Address:  10.0.2.78

Non-authoritative answer:
Name:    bvubr01.ne.mediaone.net
Addresses:  24.128.8.240, 24.128.142.1

[root@scavenger /root]#

also if you use ettercap ( either version ) or manually useing hunt and try
any type of MITM attack useing the gateway and another machine on the subnet
the entire subnet goes to crap.
and it seams to me the router took a ARP flood and stopped resonding. im not
positive but i think they are a form of cisco router.
anyone have any ideas about this ?

would love to hear and real good explanations.

-D

Current thread:

Re: Hijack IP Address using cable modem, (continued)
- - - Re: Hijack IP Address using cable modem Bill Munger (Mar 29)
    - Re: Hijack IP Address using cable modem Mathias Wegner (Mar 28)
    - Re: Hijack IP Address using cable modem Dick Visser (Mar 28)
    - Re: Hijack IP Address using cable modem Reb (Mar 29)
    - Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
    - Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
    - Re: Hijack IP Address using cable modem Nick Summy (Mar 29)
    - Re: Hijack IP Address using cable modem David Laganière (Mar 29)
    - Re: Hijack IP Address using cable modem Clayton Hoskinson (Mar 29)
    - Re: Hijack IP Address using cable modem moksha faced (Mar 29)
- Re: Hijack IP Address using cable modem cdowns (Mar 28)
- Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
- Re: Hijack IP Address using cable modem Williamson, Glenn (Mar 29)
  - Re: Hijack IP Address using cable modem cdowns (Mar 29)