Hi, Do you think if Microsoft is going to do something with this. I found this: http://www.secadministrator.com/Articles/Index.cfm?ArticleID=9393. This is about windows 9x and hole were reported to Microsoft some time ago (more then a year) without any response from them. Does anybody has access to XP to check if it is also vulnerable? Regards > > > Hello, > > > I came across this problem awhile back too... the main point > I think is he > used "arp -s" which should create a permanent entry in the arp table. > > ettercap probably floods the lan with gratuitous arp > requests, so it can steal > the gateway's ip address. If NT had a functional arp cache, > the entry set > with arp -s should not be changed. > > {root@blak 10:07am} ~# arp -S 192.168.1.1 0:60:8:af:8c:e4 > > {root@blak 10:07am} ~# arp -an > ? (192.168.1.1) at 0:60:8:af:8c:e4 permanent [ethernet] > > I ran arpspoof (from dsniff pkg) for awhile against that host > {bangel@nomad 11:17am} /home/bangel# arpspoof -i ep0 -t > 192.168.1.2 nomad > from another machine, the arp entry never changed, which is > how it should > be. > > I walked up stairs to a windows95 machine, did this: > C:\>arp -s 192.168.1.1 00-60-08-af-8c-e4 > C:\>arp -a > Interface: 192.168.1.3 on Interface 2 > Internet Address Physical Address Type > 192.168.1.1 00-60-08-af-8c-e4 static > > I then ran arpspoof against the 95 machine. The supposedly > static entry > changed immediately to the machine i was trying to spoof. > > C:\>arp -a > Interface: 192.168.1.3 on Interface 2 > Internet Address Physical Address Type > 192.168.1.1 00-a0-c9-89-16-4a static > > I repeated the same thing on win2000 SP1 I had on a laptop > here... Same > results. > > Awhile back, a friend and I tested many platforms against > this bug, using > both spoofed arp replies and spoofed gratuitious arp > requests. Unfortunately > I can't find our results, but I do remember that all versions > of Windows > we tested were vulnerable to changing static arp entries w/ > spoofed arp > replies. > > Thanks > Keith > > On 23-Nov-2001, Tomas Nybrand IT wrote: > > Hi > > > > Well ARP poisoning canīt be considered as something new, and I would > > prefer to call it a vulnerability in the ARP protocol rather than a > > windows vulnerability. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Tomas Nybrand - UNIX Administrator > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > -- Bene qui latuit, bene vixit. -- > > > > Grzegorz.Flakat_private writes: > > >Hi, > > > > > >I am not sure, if it is something new, but I think I found serious > > >vulnerability in ARP implementation in WindowsNT/2000 (I > checked it on > > >NT4 SP6 and Win2000 SP1). The problem is when somebody > whant to use "man > > >in the middle" technik to evesdrop your traffic. This > example was done > > >with ettercap. > > >To fill protect I use 'arp -s' to specify correct MAC for default > > >geteway. So I had : > > > 10.10.1.4 00-b0-64-49-1e-01 static > > > > > >then I use ettercap to capture my traffic to the gateway. > Ofcourse I > > >could see my POP3 pass ;) Then I checked arp table once again: > > > > > > 10.10.1.4 00-01-02-23-85-e1 static > > > > > >The MAC is different (this is MAC of my linux box). I > checked the same > > >on Solaris 2.7 and Linux 2.4.8 and they look unvulnerable. > > >Is this already known vulnerabilty (I found indication of similar > > >weakness, but that was on Windows 9x). > > > > > >Any suggestions how to get rid off that. > > > > > >Reagards > >
This archive was generated by hypermail 2b30 : Sat Nov 24 2001 - 15:25:24 PST