Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Layer 2 arp snooping without Layer 3?

from [Nikolaj] Network Security [Permanent Link]
Subject: Re: Layer 2 arp snooping without Layer 3?
Date: Thu, 25 Oct 2007 20:15:19 +0300
Tim wrote: 
Hello,

Well you could poison one's cache but without you having an ip address it will be pointless. Arp is used to map l2 to l3. So if you send rogue 

Actually... isn't it supposed to map L3 to L2?  This is probably an
important distinction here.
Absolutely right. I've been talking about inverse arp. shame on me!

packets saying that mac 11:22:33:44:55:66 is on your ip address without you having one the hosts will start sending packets to the rogue ip address ( that should be yours) and because you don't have it setup the traffic will go to /dev/null ( the switches will forward it to you nic but you won't have an ip address and the kernel will most likely discard it). I think this is what will happen. And ARP is designed to find an address based on another one. 

If we falsely advertize that a given IP address maps to our NIC address,
then the switch should send those packets to that NIC regardless of
whether or not we have an IP, right?  Sure, the kernel will discard
those packets but that shouldn't matter if we're listening on the raw
device in promiscuous mode.  So, in theory it should be possible, though
please correct me if my understanding is flawed.

Now the applicable questions are: Does Linux lets you go into
promiscuous mode while you're bridging?  Does Linux let you send false
ARP packets on an interface that's bridging?

The former question I would guess is a yes.  If not, you could at a
minimum use iptables in bridging mode to redirect some packets to some
place where you can more easily sniff them.

The latter question I'm not sure on, but even if there were a kernel
limitation on that, you could poison the switch from another interface
or system.
Perhaps a little patch or some util could easily generate packets no matter whether you are bridging or no. Though, the best way will be to test this scenario.


HTH,
tim




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Web Application Hacker's Handbook, Shenk, Jerry A
Next by Date:  Re: Layer 2 arp snooping without Layer 3?, Tim
Previous by Thread:  Re: Layer 2 arp snooping without Layer 3?, Tim
Next by Thread:  Re: Layer 2 arp snooping without Layer 3?, offset
Indexes:  [Date] [Thread] [Top] [All Lists]