Dear all, I am quite new to this. I posted this on bugtraq first, but David Ahmad asked to post it in FOCUS-MS and vuln-dev. So here I go :o) This is the setup : 1 Windows 2000 Professional (SP3) 1 Linux Slackware (gateway) 1 Debian Linux 1 switch (The linux distro's doesn't really matter) When using ethercap on the network from de Debian machine, I was able to see and control all trafic. (nothing new right?) Ethercap is doing this by making the network believe everything should be sent to the MAC-address of the ethercap machine which in my case was the Debian machine. To prevent this behaviour, I setup static routes both on the gateway and the Windows machine. Yet I didn't get the result I was expecting. I was still able to see packets on the Debian machine, yet I was no longer able to control the packets. When I looked at the arp cache of Linux, the static entry was there and working (?), but on the Windows machine, THE VALUE OF THE STATIC ARP WAS CHANGED. When ethercap was disabled, the static arp entry was returned to the original value. Meaning Windows 2000 desktops (and servers?) can always be sniffed even when using a switch. On top of that, your network is probably vulnerable to the man-in-the-middle attacks if you're relying on MS-technology only. I don't know if they are still vulnerable to a man-in-the-middle attack if you're using eg. a Linux router with static routes. My "hacking" knowlege is quite limited. But I can imagine there are people who know how to gain from this "feature". If this is a known problem, why hasn't this been fixed. If unknown ... is Microsoft reading this? ;o) Can some experienced securityadvisors perform more tests on this? eg. Other (Windows) OSes, other types of attacks. Hoping this can be usefull Tim
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 12:24:11 PST