Re: ARP hole in Windows NT/2000

[Keith Simonsen <bangel () elite net>]

Hello,


I came across this problem awhile back too... the main point I think is he
used "arp -s" which should create a permanent entry in the arp table.

ettercap probably floods the lan with gratuitous arp requests, so it can steal
the gateway's ip address. If NT had a functional arp cache, the entry set
with arp -s should not be changed.

{root@blak 10:07am} ~# arp -S 192.168.1.1 0:60:8:af:8c:e4                       
{root@blak 10:07am} ~# arp -an
? (192.168.1.1) at 0:60:8:af:8c:e4 permanent [ethernet]

I ran arpspoof (from dsniff pkg) for awhile against that host
{bangel@nomad 11:17am} /home/bangel# arpspoof -i ep0 -t 192.168.1.2 nomad       
from another machine, the arp entry never changed, which is how it should
be.

I walked up stairs to a windows95 machine, did this:
C:\>arp -s 192.168.1.1 00-60-08-af-8c-e4
C:\>arp -a
Interface: 192.168.1.3 on Interface 2
  Internet Address      Physical Address      Type
  192.168.1.1           00-60-08-af-8c-e4     static

I then ran arpspoof against the 95 machine. The supposedly static entry
changed immediately to the machine i was trying to spoof.

C:\>arp -a
Interface: 192.168.1.3 on Interface 2
  Internet Address      Physical Address      Type
  192.168.1.1           00-a0-c9-89-16-4a     static

I repeated the same thing on win2000 SP1 I had on a laptop here... Same
results.

Awhile back, a friend and I tested many platforms against this bug, using
both spoofed arp replies and spoofed gratuitious arp requests. Unfortunately
I can't find our results, but I do remember that all versions of Windows
we tested were vulnerable to changing static arp entries w/ spoofed arp 
replies.

Thanks
Keith

On 23-Nov-2001, Tomas Nybrand IT wrote:
> Hi
>
> Well ARP poisoning can�t be considered as something new, and I would
> prefer to call it a vulnerability in the ARP protocol rather than a
> windows vulnerability.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>  Tomas Nybrand - UNIX Administrator
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>     --   Bene qui latuit, bene vixit.   --
>
> Grzegorz.Flak () comarch pl writes:
> > Hi,
> >
> > I am not sure, if it is something new, but I think I found serious 
> > vulnerability in ARP implementation in WindowsNT/2000 (I checked it on 
> > NT4 SP6 and Win2000 SP1). The problem is when somebody whant to use "man 
> > in the middle" technik to evesdrop your traffic. This example was done 
> > with ettercap.
> > To fill protect I use 'arp -s' to specify correct MAC for default 
> > geteway. So I had :
> >  10.10.1.4             00-b0-64-49-1e-01     static
> >
> > then I use ettercap to capture my traffic to the gateway. Ofcourse I 
> > could see my POP3 pass ;) Then I checked arp table once again:
> >
> >  10.10.1.4             00-01-02-23-85-e1     static
> >
> > The MAC is different (this is MAC of my linux box). I checked the same 
> > on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable.
> > Is this already known vulnerabilty (I found indication of similar 
> > weakness, but that was on Windows 9x).
> >
> > Any suggestions how to get rid off that.
> >
> > Reagards