Re: Hijack IP Address using cable modem

[Reb <reb () openrecords org>]

Greetings,
Unfortunately this type of attack would not work as well as one would think.
Most cable providers limit upload speed, so the person that is being
hijacked would notice the 16k/sec throughput as a major slowdown.  An
alternative to this problem would be to have a fast link to the Internet (T1
or whatever) and route the box being attacked through the fast link so that
they don't see a considerable difference in their service.
Reb

Hi

I just thought of another way of hacking.
Since I see ARP traffic on my interface, but no other traffic from any
host unless it's destination is my IP, lets do the following:

Watch ARP traffic some time. This way you know that victim with mac adress
VMAC gets ip adress VIP from the cable company's DHCP server.
Next let your own dhcpd listen on the internet-interface and have it
configured to also give VIP to VMAC. Provide victim also with the same DNS
as he would get from provider, but give him the gateway-IP of your
machine.
Now set up apropriate routing so victim does not notice anything.

When this works, you have the same possibilities for sniffing etc as
victim were on the same ethernet-segmnet - and that's not the case in the
default config.

Also there would be ways to hijack connections, even better that if victim
was on the same ethernet because there is no problem of having multiple
hosts with the same IP. All traffic goes through your box.

Or am I dwelling off :)

--

  *    ***     Dick Visser
 **   *   *    TIENHUIS consultancy
  *   * ***    Linux, networking, security
  *   * * *    J. Catskade 10h             T +3120 6843731
  *   **  *    1052 BW Amsterdam           F +3120 8641420
  *   *   *    The Netherlands
  *   *   *    W: http://www.tienhuis.nl
 ***   ***     E: d.n.m.visser () tienhuis nl