RE: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wind ows 95?

• Previous message: Mark Wiater: "Re: Code Red Doesn't care about TCP sessions?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

never seen it on a windows box before, but it would be trivial to do so on
may unix hosts that allow MACs to be altered with ifconfig....

For instance, in redhat, it would be a simple case of writing a perl or
shell script that did (assuming DHCP is already configured for the machine
in the first place)
$mac = "00:00:00:00:00:00";
$remainingAddys = true;

while ($remainingAddys) {
  system ("ifconfig eth0 hw $mac");
  system ("ifdown eth0");
  system ("ifup eth0");
  $remainingAddys = createNewMac($mac);
}

You would have to write the routing that makes $mac get updated and return
whether there are any more mac addresses....

I don't know how you could prevent this though!!! I am sure that using
etherpeek, you could find the machine rather quickly. (at least after if
stomped you a couple of times). If the person is malicious, you would prove
it is them. If the box is compromised, you would reinstall and smack the
admin.



-----Original Message-----
From: Reeves, Michael (GEAE, Compaq) [mailto:michael.reevesat_private]
Sent: Thursday, August 09, 2001 6:29 AM
To: 'incidentsat_private'
Subject: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on
wind ows 95?


Yesterday we had a machine that caused a nasty ARP storm and started
snagging DHCP addresses as fast as it could (stealing addresses). It was
ARPing as if it were every machine on the network. It was a windows 95 box
and was immediately pulled off of the network. Once the machine was rebooted
it stopped. Doing a quick onceover on the machine and looking through the
registry I didn't see anything that seemed suspect. I have seen bad NICs
cause broadcast storms but this is a first for me. If anyone knows of any
exploits or seen anything like this as a hardware failure could ya let me
know.

Thanks,

Mike Reeves
Security Administrator

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Michael Katz: "RE: Possible way to avoid unknown IIS vulnerabilities"
• Previous message: Mark Wiater: "Re: Code Red Doesn't care about TCP sessions?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:36:22 PDT