-----BEGIN PGP SIGNED MESSAGE----- Infact, in one hand you are right and another hand you are wrong. Why wrong? Because the command that the Grzegorz used should put an ARP table's STATIC entrie. Sometimes ago I sent a perl script to "Penetration Test" list that do this thing: ADD ARP table's STATIC entries to prevent ARP cache poisoning. But, if you put a STATIC entrie and you already can do an attack using ARP Poisoning, it's a BIG HOLE in MS' systems, I guess. Sem mais, - -- # Nelson Brito # Use: [signature.pl file] or [signature.pl < file] or [cat file | signature.pl] while(<>){split(//, $_); print reverse @_;} - ----- Original Message ----- From: "Tomas Nybrand IT" <tomas.nybrandat_private> To: <vuln-devat_private> Sent: Friday, November 23, 2001 5:38 AM Subject: Re: ARP hole in Windows NT/2000 : Hi : : Well ARP poisoning canīt be considered as something new, and I would : prefer to call it a vulnerability in the ARP protocol rather than a : windows vulnerability. : : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : Tomas Nybrand - UNIX Administrator : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : -- Bene qui latuit, bene vixit. -- : : Grzegorz.Flakat_private writes: : >Hi, : > : >I am not sure, if it is something new, but I think I found serious : >vulnerability in ARP implementation in WindowsNT/2000 (I checked it on : >NT4 SP6 and Win2000 SP1). The problem is when somebody whant to use "man : >in the middle" technik to evesdrop your traffic. This example was done : >with ettercap. : >To fill protect I use 'arp -s' to specify correct MAC for default : >geteway. So I had : : > 10.10.1.4 00-b0-64-49-1e-01 static : > : >then I use ettercap to capture my traffic to the gateway. Ofcourse I : >could see my POP3 pass ;) Then I checked arp table once again: : > : > 10.10.1.4 00-01-02-23-85-e1 static : > : >The MAC is different (this is MAC of my linux box). I checked the same : >on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable. : >Is this already known vulnerabilty (I found indication of similar : >weakness, but that was on Windows 9x). : > : >Any suggestions how to get rid off that. : > : >Reagards : : : : -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQCVAwUBO//Kje6vgAGv8cv9AQEmQwP/WDIGvOPbPbzzzCRelrPjBwCzHK45CTpr 7ktAgoX9+vrvYVy4Ik97zf5xTYQmy//lpf29JdVjhOs3BOLRU8XKgzNpXH2ZHhvt SWsuzaq1prYhSxi9poQhDuhaYW9CwstdnfeC+3vCLU0GEGJ2S1NVj7dlJsHUM36k nzOlPDx1Wwk= =aODr -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Nov 24 2001 - 15:23:25 PST