Re: ARP hole in Windows NT/2000

["Nelson Brito" <nelson () tw-award com>]

-----BEGIN PGP SIGNED MESSAGE-----

Infact, in one hand you are right and another hand you are wrong.

Why wrong? Because the command that the Grzegorz used should put an
ARP
table's STATIC entrie.

Sometimes ago I sent a perl script to "Penetration Test" list that do
this
thing: ADD ARP table's STATIC entries to prevent ARP cache poisoning.

But, if you put a STATIC entrie and you already can do an attack
using ARP
Poisoning, it's a BIG HOLE in MS' systems, I guess.

Sem mais,
- --
# Nelson Brito
# Use: [signature.pl file] or [signature.pl < file] or [cat file |
signature.pl]
while(<>){split(//, $_); print reverse @_;}

- ----- Original Message -----
From: "Tomas Nybrand IT" <tomas.nybrand () umea se>
To: <vuln-dev () securityfocus com>
Sent: Friday, November 23, 2001 5:38 AM
Subject: Re: ARP hole in Windows NT/2000


: Hi
:
: Well ARP poisoning can´t be considered as something new, and I
would
: prefer to call it a vulnerability in the ARP protocol rather than a
: windows vulnerability.
:
: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:  Tomas Nybrand - UNIX Administrator
: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:     --   Bene qui latuit, bene vixit.   --
:
: Grzegorz.Flak () comarch pl writes:
: >Hi,
: >
: >I am not sure, if it is something new, but I think I found serious
: >vulnerability in ARP implementation in WindowsNT/2000 (I checked
it on
: >NT4 SP6 and Win2000 SP1). The problem is when somebody whant to
use "man
: >in the middle" technik to evesdrop your traffic. This example was
done
: >with ettercap.
: >To fill protect I use 'arp -s' to specify correct MAC for default
: >geteway. So I had :
: >  10.10.1.4             00-b0-64-49-1e-01     static
: >
: >then I use ettercap to capture my traffic to the gateway. Ofcourse
I
: >could see my POP3 pass ;) Then I checked arp table once again:
: >
: >  10.10.1.4             00-01-02-23-85-e1     static
: >
: >The MAC is different (this is MAC of my linux box). I checked the
same
: >on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable.
: >Is this already known vulnerabilty (I found indication of similar
: >weakness, but that was on Windows 9x).
: >
: >Any suggestions how to get rid off that.
: >
: >Reagards
:
:
:
:

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQCVAwUBO//Kje6vgAGv8cv9AQEmQwP/WDIGvOPbPbzzzCRelrPjBwCzHK45CTpr
7ktAgoX9+vrvYVy4Ik97zf5xTYQmy//lpf29JdVjhOs3BOLRU8XKgzNpXH2ZHhvt
SWsuzaq1prYhSxi9poQhDuhaYW9CwstdnfeC+3vCLU0GEGJ2S1NVj7dlJsHUM36k
nzOlPDx1Wwk=
=aODr
-----END PGP SIGNATURE-----