Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Layer 2 arp snooping without Layer 3?

from [offset] Network Security [Permanent Link]
Subject: Re: Layer 2 arp snooping without Layer 3?
Date: Thu, 25 Oct 2007 15:27:04 -0500 
On Thu, Oct 25, 2007 at 12:36:49PM -0400, Tim wrote:

Hello,


Well you could poison one's cache but without you having an ip address it 
will be pointless. Arp is used to map l2 to l3. So if you send rogue 


Actually... isn't it supposed to map L3 to L2?  This is probably an
important distinction here.


packets saying that mac 11:22:33:44:55:66 is on your ip address without you 
having one the hosts will start sending packets to the rogue ip address ( 
that should be yours) and because you don't have it setup the traffic will 
go to /dev/null ( the switches will forward it to you nic but you won't 
have an ip address and the kernel will most likely discard it). I think 
this is what will happen. And ARP is designed to find an address based on 
another one.


If we falsely advertize that a given IP address maps to our NIC address,
then the switch should send those packets to that NIC regardless of
whether or not we have an IP, right?  Sure, the kernel will discard
those packets but that shouldn't matter if we're listening on the raw
device in promiscuous mode.  So, in theory it should be possible, though
please correct me if my understanding is flawed.


I can arp poison another system without having an IP address bound to a NIC,
so I know this is possible, I can only successfully do mitm with L3 (thus far) 
using IP forwarding.

Brainstorming ideas for mitm using only L2 without ever having an IP address
bound to a NIC to further avoid detection.



Now the applicable questions are: Does Linux lets you go into
promiscuous mode while you're bridging?  Does Linux let you send false
ARP packets on an interface that's bridging?

The former question I would guess is a yes.  If not, you could at a
minimum use iptables in bridging mode to redirect some packets to some
place where you can more easily sniff them.

The latter question I'm not sure on, but even if there were a kernel
limitation on that, you could poison the switch from another interface
or system.


My goal with L2 is to have victim frames coming to my machine, view the
packets (ie. tcpdump, etc), but have the frames sent back out to the real
gateway to avoid a DoS situation against the victim.  L3 does this for you
via IP forwarding, L2 is another matter.

-- 
offset

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Layer 2 arp snooping without Layer 3?, Cedric Blancher
Next by Date:  Re: Layer 2 arp snooping without Layer 3?, Tim
Previous by Thread:  Re: Layer 2 arp snooping without Layer 3?, Nikolaj
Next by Thread:  Re: Layer 2 arp snooping without Layer 3?, Tim
Indexes:  [Date] [Thread] [Top] [All Lists]