Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: The Basics of Arpspoofing/Arppoisoning

  1. #11
    Junior Member
    Join Date
    Aug 2002
    Posts
    25
    I have a quick question on this matter: I have a local network consisting of a proxy server to the internet, a w2k box and a linux box. The three boxes are connected using a layer 2 (hw adress) switch.

    I spoofed the mac adress of the linux box using ifconfig to the mac adress of the w2k box. So in the arp tables of the proxy, both the linux and the w2k box have the same mac adress. However, when I run tcpdump on the linux box, and I start surfing the net using the w2k box, I do not see the packets of the w2k box on the linux box, despite they both have the same mac adress.

    How is this possible? Does the switch only forward packages to 1 port and refuses 2?

    It got me puzzled. I expected to see the w2k packages on the linux machine after the spoof.
    There are 10 kinds of people, those who can read binary, and those who can\'t.

  2. #12
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Honestly, I’m not quite sure of the intricacies of the software/circuitry built into a switch. Has the Linux box sent any traffic to the network so the switch can notice its MAC address? Any other ideas guys?

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    What does the ARP table on the switch say abot the MAC addresses? After all, the way you described it, it will be the final arbiter.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: The Basics of Arpspoofing/Arppoisoning

    Irongeek,
    It's a very nice basic tutorial. However I would like to have seen a "securing your network" section that could mention how to employ certain technologies to secure your network ARP-based attacks. Also, some mention of non-MITM attacks using ARP might be handy (such as a network-wide DoS), as well as how to prevent them. Maybe a second tutorial that might mention these things, if you have any interest?
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #15
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by Tiger Shark
    What does the ARP table on the switch say abot the MAC addresses? After all, the way you described it, it will be the final arbiter.
    Thats what I thought... but then I got to thinking... can you even look at the mac table of a layer 2 switch? All of the layer two switches I have are not managed and I can't see the table. The ones that are managed are layer 2 and layer 3....

    Maybe you just have to wait for the switch to update its table?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #16
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Re: Re: The Basics of Arpspoofing/Arppoisoning

    Originally posted here by chsh
    Irongeek,
    It's a very nice basic tutorial. However I would like to have seen a "securing your network" section that could mention how to employ certain technologies to secure your network ARP-based attacks. Also, some mention of non-MITM attacks using ARP might be handy (such as a network-wide DoS), as well as how to prevent them. Maybe a second tutorial that might mention these things, if you have any interest?
    I would be interested in writing such a tutorial, but doubt I have the resources to do it justice. I Know of a few ways ARP spoofing can be used for DoS, (like spoofing the gateway and turning off packet forwarding, or assuming the MAC address of an antenna in an Axon system) and I have ideas for possible solutions, but I don’t have the privileges on my network to really test them to make sure they the fixes work.

  7. #17
    Junior Member
    Join Date
    Aug 2002
    Posts
    25
    Well, the linux box was sending packets too. After the mac spoof, both machines behaved as before. I'm sure the linux mac was spoofed, cause when i looked at the arp table on the router, it listed the 2 IP adresses (one of the linux box, the other one of the w2k box) both with the same mac adress. I just don't understand that if a switch his "routing table" is based on the mac adress it is still able to work properly when it has 2 mac adresses that are the same. Only explanation could be that the switch somehow got hold of the real mac adress. So my spoofing was not effective.

    Anyway, much thanks on the replies, and thanks for the great tutorial !
    There are 10 kinds of people, those who can read binary, and those who can\'t.

  8. #18
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    Travish,

    the switch doesn't have two ipadresses in his arp-table, it just updated the macadress with the ipadress from the victim to the attacker's ip adress, so you will cut off the vitcim in this example.
    Now if you'd try a Man in the middle attack ( in this example sit between the switch and the victim ), with lets say ettercap, you'd poison in two directions, thus in the arptable of the switch you'd see the victim's ip adress with the attackers macadress, and the other way around on the victims arptable. In this example the victim would still be able to communicate and surf, while you read what he's doing with for.ex. tcpdump or another sniffer.

    Anyway try ettercap for the mitm-attack, and this to see the difference :

    Code:
     #!/bin/bash
    
    counter=0
    
    while [ "$counter" != 1000 ]; do
     sleep 1
      nemesis arp -S <victim-ip> -D <switch-ip> -m <attacker-mac> -r
    done
    This is a very simple script to temporary poison a switch, but which would create a victim cut-off. the -r is crucial cause it tells its an arp-reply.
    If you tcpdump then on your attackerbox, you'd see all present connections originally to the victim's box contimuing on the attackerbox.
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  9. #19
    Junior Member
    Join Date
    Aug 2002
    Posts
    25
    Hey Schrekkie,

    Thx for the reply. I think indeed my problem is I don't understand what's happening in the switch. Anyway, for the moment, the victim is not cut off, ever after spoofing. I'll reboot the switch after spoofing, who knows that has something to do with it.
    After that I'll try the mitm attack, as explained by you and the tutorial. See how that works.
    There are 10 kinds of people, those who can read binary, and those who can\'t.

  10. #20
    Errrrr guys, would we get flame for participating in this discussion of doing these illegal stuff?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •