Hi
Well ARP poisoning canīt be considered as something new, and I would
prefer to call it a vulnerability in the ARP protocol rather than a
windows vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tomas Nybrand - UNIX Administrator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- Bene qui latuit, bene vixit. --
Grzegorz.Flakat_private writes:
>Hi,
>
>I am not sure, if it is something new, but I think I found serious
>vulnerability in ARP implementation in WindowsNT/2000 (I checked it on
>NT4 SP6 and Win2000 SP1). The problem is when somebody whant to use "man
>in the middle" technik to evesdrop your traffic. This example was done
>with ettercap.
>To fill protect I use 'arp -s' to specify correct MAC for default
>geteway. So I had :
> 10.10.1.4 00-b0-64-49-1e-01 static
>
>then I use ettercap to capture my traffic to the gateway. Ofcourse I
>could see my POP3 pass ;) Then I checked arp table once again:
>
> 10.10.1.4 00-01-02-23-85-e1 static
>
>The MAC is different (this is MAC of my linux box). I checked the same
>on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable.
>Is this already known vulnerabilty (I found indication of similar
>weakness, but that was on Windows 9x).
>
>Any suggestions how to get rid off that.
>
>Reagards
This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 18:02:03 PST