Hello, On Tue, Jul 16, 2002 at 06:37:16AM -0400, alaricat_private wrote: > > If you decided to participate, please include all information about the > switch(es) you tested (e.g. manufacture, model, managed or unmanaged, how many > ports, firmware/OS version, etc.). Please also include what you tested for > - ARP spoofing, MAC flooding, MAC duplicating, or the like - and what the > results were. For an article recently published in a French magazine on security, I also work on something very similar. Our (our = the 3 authors) goal was to detail all what you can do with the protocol ARP. Of course, sniffing is one thing, but there are many more. Another not so well known issue about ARP is the handling of messages according to the OS. Some of them (some Windows, IOS 12, OpenBSD 3.0) create new entries in their cache when they receive an reply (even unsolicited) , while others do not (Linux for instance). Note that the creation is the correct behavior according to the RFC. So, there are in fact many thing to mention with ARP : - switches that fail open like hubs when they are flooded - OS that are RFC compliant - and so on for various attacks... A short summary of the article is available on http://www.arp-sk.org. We show that ARP is not only efficient for sniffing, and that you can have really fun with that protocol. arp-sk is a Swiss army knife for the handling of ARP messages based on the latest libnet-1.1.0beta. Among cool features, you can notice : - complete control of all addresses either on Ethernet layer or ARP itself - target assignment is made at Ethernet layer, but either with target's MAC or IP - complete control of the randomization of the 6 addresses (2 with Ethernet, 4 with ARP), i.e. you can set some addresses and randomize those you want - control the period of time for sending packets (from very slow to fury mode), and randomize the interval Even if it is still under development, it is already functional. Lastly, note that ARP messages can be used to detect promiscuous cards on a network. To check a target, the trick is to send an ARP query with all valid information in the ARP message, but with a fake Ethernet destination address. Ethernet dst FF:FF:FF:FF:FF:FE Ethernet src <my Ethernet address> ARP mode Who-has ? ARP dst eth 00:00:00:00:00:00 ARP dst IP <IP of the target> ARP src eth <my Ethernet address> ARP src IP <my IP> If the target answers, it is very likely that it is in promiscuous mode. I've also tested that solution with icmp echo-request (target was a Linux-2.4), but that did not success. I had no time to investigate any further but it used to work with kernel 2.2. I had no time to check if this behavior came from the change of the kernel or from something else. Regards -- Frederic RAYNAL, Ph.D. http://minimum.inria.fr/~raynal Chief Editor of M.I.S.C. Multi-Systems & Internet Security Cookbook
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 16:53:13 PDT