Re: MiM Simultaneous close attack

From: jaywhy (jaywhy2at_private)
Date: Sat Aug 18 2001 - 10:20:36 PDT

Next message: dove: "Re: IE Save as feature & Security zones - curious question"

Previous message: Paul: "Re: MiM Simultaneous close attack"
In reply to: Paul: "Re: MiM Simultaneous close attack"
Next in thread: Paul: "Re: MiM Simultaneous close attack"
Reply: Paul: "Re: MiM Simultaneous close attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I already send a message to vuln-dev about this. But I will explain your
scenario  more in depth.

                 internet
                    |
                 +--+-----+
                 | gateway|
                 +--+-----+
                    |MAC1(gg:gg)ip,gg.gg
                    |
                    |port3
          port1 +---+---+  port2
       +--------+switch +---------------------+
       |        +-------+                     |
   +---+-----+                            +---+---+
   |  Hub1   +--host c ip cc,cc           |  HUB2 |
   +-+-----+-+  mac cc:cc                 +---+---+
     |                                        |
   Host A(MAC2 aa:aa)              Host B(mac bb:bb)ip,bb.bb
  ip:aa.aa         

Lets say there is a host on hub2 that has the ip 10.0.0.3(Host B) and he
want to connect to a host with ip 10.0.0.2(Host A).

Host A wants connect to Host B telnet server or something like that.

Host A will send a broadcast out like this

Arp Broadcast who-has 10.0.0.3 tell (Host A mac address)

The message will be sent to the broadcast ff:ff:ff:ff:ff:ff ethernet
address.  The router recieves the broadcast and forwards it to all ports.
Everything connected to that router will receive the broadcast.  The router
how ever will not forward the broadcast out of that network it will simple
be dropped.  Although some misconfigured routers to forward broadcasts but
that is really doubtful.

Now host b will respond to the arp request with his mac address.

Arp reply (host A mac address) is-at (Host B mac address)

Since all ports connected to that router receive the broadcast nothing holds
Malicious computer Host M from responding as well.

Arp reply (host A mac address) is at (Host M Spoofing as Host B ip address)

Arpspoof does this for you.  It replies to the arp request even though it
not it's ip address requested, and it send back it's mac address as though
it were really host b.  Host A is in the dark, it has no clue Host B is
really Host M.  

Using arpspoof to spoof the address and you also use dsniff as a packet
sniffer.  Host M will act as a router between Host A and Host B using a
program called fragrouter it will forward the data between Host A and Host b
so the connection will not be dropped, and it will go undetected.


Host A --------> Host M(with fragrouter) -------> Host B
Host B --------> Host M(with fragrouter) -------> Host A

-- 
Jason Yates
jaywhy2at_private

Next message: dove: "Re: IE Save as feature & Security zones - curious question"
Previous message: Paul: "Re: MiM Simultaneous close attack"
In reply to: Paul: "Re: MiM Simultaneous close attack"
Next in thread: Paul: "Re: MiM Simultaneous close attack"
Reply: Paul: "Re: MiM Simultaneous close attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 10:59:47 PDT