Hello,
I came across this problem awhile back too... the main point I think is he
used "arp -s" which should create a permanent entry in the arp table.
ettercap probably floods the lan with gratuitous arp requests, so it can steal
the gateway's ip address. If NT had a functional arp cache, the entry set
with arp -s should not be changed.
{root@blak 10:07am} ~# arp -S 192.168.1.1 0:60:8:af:8c:e4
{root@blak 10:07am} ~# arp -an
? (192.168.1.1) at 0:60:8:af:8c:e4 permanent [ethernet]
I ran arpspoof (from dsniff pkg) for awhile against that host
{bangel@nomad 11:17am} /home/bangel# arpspoof -i ep0 -t 192.168.1.2 nomad
from another machine, the arp entry never changed, which is how it should
be.
I walked up stairs to a windows95 machine, did this:
C:\>arp -s 192.168.1.1 00-60-08-af-8c-e4
C:\>arp -a
Interface: 192.168.1.3 on Interface 2
Internet Address Physical Address Type
192.168.1.1 00-60-08-af-8c-e4 static
I then ran arpspoof against the 95 machine. The supposedly static entry
changed immediately to the machine i was trying to spoof.
C:\>arp -a
Interface: 192.168.1.3 on Interface 2
Internet Address Physical Address Type
192.168.1.1 00-a0-c9-89-16-4a static
I repeated the same thing on win2000 SP1 I had on a laptop here... Same
results.
Awhile back, a friend and I tested many platforms against this bug, using
both spoofed arp replies and spoofed gratuitious arp requests. Unfortunately
I can't find our results, but I do remember that all versions of Windows
we tested were vulnerable to changing static arp entries w/ spoofed arp
replies.
Thanks
Keith
On 23-Nov-2001, Tomas Nybrand IT wrote:
> Hi
>
> Well ARP poisoning canīt be considered as something new, and I would
> prefer to call it a vulnerability in the ARP protocol rather than a
> windows vulnerability.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Tomas Nybrand - UNIX Administrator
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> -- Bene qui latuit, bene vixit. --
>
> Grzegorz.Flakat_private writes:
> >Hi,
> >
> >I am not sure, if it is something new, but I think I found serious
> >vulnerability in ARP implementation in WindowsNT/2000 (I checked it on
> >NT4 SP6 and Win2000 SP1). The problem is when somebody whant to use "man
> >in the middle" technik to evesdrop your traffic. This example was done
> >with ettercap.
> >To fill protect I use 'arp -s' to specify correct MAC for default
> >geteway. So I had :
> > 10.10.1.4 00-b0-64-49-1e-01 static
> >
> >then I use ettercap to capture my traffic to the gateway. Ofcourse I
> >could see my POP3 pass ;) Then I checked arp table once again:
> >
> > 10.10.1.4 00-01-02-23-85-e1 static
> >
> >The MAC is different (this is MAC of my linux box). I checked the same
> >on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable.
> >Is this already known vulnerabilty (I found indication of similar
> >weakness, but that was on Windows 9x).
> >
> >Any suggestions how to get rid off that.
> >
> >Reagards
>
This archive was generated by hypermail 2b30 : Sat Nov 24 2001 - 15:21:27 PST