Re: MiM Simultaneous close attack

From: jaywhy (jaywhy2at_private)
Date: Sat Aug 18 2001 - 10:20:36 PDT

  • Next message: dove: "Re: IE Save as feature & Security zones - curious question"

    I already send a message to vuln-dev about this. But I will explain your
    scenario  more in depth.
    
                     internet
                        |
                     +--+-----+
                     | gateway|
                     +--+-----+
                        |MAC1(gg:gg)ip,gg.gg
                        |
                        |port3
              port1 +---+---+  port2
           +--------+switch +---------------------+
           |        +-------+                     |
       +---+-----+                            +---+---+
       |  Hub1   +--host c ip cc,cc           |  HUB2 |
       +-+-----+-+  mac cc:cc                 +---+---+
         |                                        |
       Host A(MAC2 aa:aa)              Host B(mac bb:bb)ip,bb.bb
      ip:aa.aa         
    
    Lets say there is a host on hub2 that has the ip 10.0.0.3(Host B) and he
    want to connect to a host with ip 10.0.0.2(Host A).
    
    Host A wants connect to Host B telnet server or something like that.
    
    Host A will send a broadcast out like this
    
    Arp Broadcast who-has 10.0.0.3 tell (Host A mac address)
    
    The message will be sent to the broadcast ff:ff:ff:ff:ff:ff ethernet
    address.  The router recieves the broadcast and forwards it to all ports.
    Everything connected to that router will receive the broadcast.  The router
    how ever will not forward the broadcast out of that network it will simple
    be dropped.  Although some misconfigured routers to forward broadcasts but
    that is really doubtful.
    
    Now host b will respond to the arp request with his mac address.
    
    Arp reply (host A mac address) is-at (Host B mac address)
    
    Since all ports connected to that router receive the broadcast nothing holds
    Malicious computer Host M from responding as well.
    
    Arp reply (host A mac address) is at (Host M Spoofing as Host B ip address)
    
    Arpspoof does this for you.  It replies to the arp request even though it
    not it's ip address requested, and it send back it's mac address as though
    it were really host b.  Host A is in the dark, it has no clue Host B is
    really Host M.  
    
    Using arpspoof to spoof the address and you also use dsniff as a packet
    sniffer.  Host M will act as a router between Host A and Host B using a
    program called fragrouter it will forward the data between Host A and Host b
    so the connection will not be dropped, and it will go undetected.
    
    
    Host A --------> Host M(with fragrouter) -------> Host B
    Host B --------> Host M(with fragrouter) -------> Host A
    
    -- 
    Jason Yates
    jaywhy2at_private
    



    This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 10:59:47 PDT