Windows 2000 Static arp not static

["Tim Habex" <tim.habex () eenderwat be>]

Dear all,

I am quite new to this. I posted this on bugtraq first, but David Ahmad
asked to post it in FOCUS-MS and vuln-dev. So here I go :o)

This is the setup :
1 Windows 2000 Professional (SP3)
1 Linux Slackware (gateway)
1 Debian Linux
1 switch

(The linux distro's doesn't really matter)

When using ethercap on the network from de Debian machine, I was able to see
and control all trafic. (nothing new right?)
Ethercap is doing this by making the network believe everything should be
sent to the MAC-address of the ethercap machine which in my case was the
Debian machine.

To prevent this behaviour, I setup static routes both on the gateway and the
Windows machine. Yet I didn't get the result I was expecting.
I was still able to see packets on the Debian machine, yet I was no longer
able to control the packets.

When I looked at the arp cache of Linux, the static entry was there and
working (?), but on the Windows machine, THE VALUE OF THE STATIC ARP WAS
CHANGED. When ethercap was disabled, the static arp entry was returned to
the original value.

Meaning Windows 2000 desktops (and servers?) can always be sniffed even when
using a switch. On top of that, your network is probably vulnerable to the
man-in-the-middle attacks if you're relying on MS-technology only.
I don't know if they are still vulnerable to a man-in-the-middle attack if
you're using eg. a Linux router with static routes. My "hacking" knowlege is
quite limited. But I can imagine there are people who know how to gain from
this "feature".

If this is a known problem, why hasn't this been fixed. If unknown ... is
Microsoft reading this? ;o)
Can some experienced securityadvisors perform more tests on this? eg. Other
(Windows) OSes, other types of attacks.

Hoping this can be usefull

Tim