Hello, I came across this problem awhile back too... the main point I think is he used "arp -s" which should create a permanent entry in the arp table. ettercap probably floods the lan with gratuitous arp requests, so it can steal the gateway's ip address. If NT had a functional arp cache, the entry set with arp -s should not be changed. {root@blak 10:07am} ~# arp -S 192.168.1.1 0:60:8:af:8c:e4 {root@blak 10:07am} ~# arp -an ? (192.168.1.1) at 0:60:8:af:8c:e4 permanent [ethernet] I ran arpspoof (from dsniff pkg) for awhile against that host {bangel@nomad 11:17am} /home/bangel# arpspoof -i ep0 -t 192.168.1.2 nomad from another machine, the arp entry never changed, which is how it should be. I walked up stairs to a windows95 machine, did this: C:\>arp -s 192.168.1.1 00-60-08-af-8c-e4 C:\>arp -a Interface: 192.168.1.3 on Interface 2 Internet Address Physical Address Type 192.168.1.1 00-60-08-af-8c-e4 static I then ran arpspoof against the 95 machine. The supposedly static entry changed immediately to the machine i was trying to spoof. C:\>arp -a Interface: 192.168.1.3 on Interface 2 Internet Address Physical Address Type 192.168.1.1 00-a0-c9-89-16-4a static I repeated the same thing on win2000 SP1 I had on a laptop here... Same results. Awhile back, a friend and I tested many platforms against this bug, using both spoofed arp replies and spoofed gratuitious arp requests. Unfortunately I can't find our results, but I do remember that all versions of Windows we tested were vulnerable to changing static arp entries w/ spoofed arp replies. Thanks Keith On 23-Nov-2001, Tomas Nybrand IT wrote: > Hi > > Well ARP poisoning canīt be considered as something new, and I would > prefer to call it a vulnerability in the ARP protocol rather than a > windows vulnerability. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Tomas Nybrand - UNIX Administrator > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > -- Bene qui latuit, bene vixit. -- > > Grzegorz.Flakat_private writes: > >Hi, > > > >I am not sure, if it is something new, but I think I found serious > >vulnerability in ARP implementation in WindowsNT/2000 (I checked it on > >NT4 SP6 and Win2000 SP1). The problem is when somebody whant to use "man > >in the middle" technik to evesdrop your traffic. This example was done > >with ettercap. > >To fill protect I use 'arp -s' to specify correct MAC for default > >geteway. So I had : > > 10.10.1.4 00-b0-64-49-1e-01 static > > > >then I use ettercap to capture my traffic to the gateway. Ofcourse I > >could see my POP3 pass ;) Then I checked arp table once again: > > > > 10.10.1.4 00-01-02-23-85-e1 static > > > >The MAC is different (this is MAC of my linux box). I checked the same > >on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable. > >Is this already known vulnerabilty (I found indication of similar > >weakness, but that was on Windows 9x). > > > >Any suggestions how to get rid off that. > > > >Reagards >
This archive was generated by hypermail 2b30 : Sat Nov 24 2001 - 15:21:27 PST