Re: Layer 2 arp snooping without Layer 3?

From: Nikolaj (lorddoskias@gmail.com)
Date: Thu Oct 25 2007 - 13:15:19 EDT

• Next message: Shenk, Jerry A: "Web Application Hacker's Handbook"
• Previous message: Tim: "Re: Layer 2 arp snooping without Layer 3?"
• In reply to: Tim: "Re: Layer 2 arp snooping without Layer 3?"
• Next in thread: offset: "Re: Layer 2 arp snooping without Layer 3?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim wrote:
> Hello,
>
>> Well you could poison one's cache but without you having an ip address it
>> will be pointless. Arp is used to map l2 to l3. So if you send rogue
>
> Actually... isn't it supposed to map L3 to L2? This is probably an
> important distinction here.
Absolutely right. I've been talking about inverse arp. shame on me!
>
>> packets saying that mac 11:22:33:44:55:66 is on your ip address without you
>> having one the hosts will start sending packets to the rogue ip address (
>> that should be yours) and because you don't have it setup the traffic will
>> go to /dev/null ( the switches will forward it to you nic but you won't
>> have an ip address and the kernel will most likely discard it). I think
>> this is what will happen. And ARP is designed to find an address based on
>> another one.
>
> If we falsely advertize that a given IP address maps to our NIC address,
> then the switch should send those packets to that NIC regardless of
> whether or not we have an IP, right? Sure, the kernel will discard
> those packets but that shouldn't matter if we're listening on the raw
> device in promiscuous mode. So, in theory it should be possible, though
> please correct me if my understanding is flawed.
>
> Now the applicable questions are: Does Linux lets you go into
> promiscuous mode while you're bridging? Does Linux let you send false
> ARP packets on an interface that's bridging?
>
> The former question I would guess is a yes. If not, you could at a
> minimum use iptables in bridging mode to redirect some packets to some
> place where you can more easily sniff them.
>
> The latter question I'm not sure on, but even if there were a kernel
> limitation on that, you could poison the switch from another interface
> or system.
Perhaps a little patch or some util could easily generate packets no
matter whether you are bridging or no. Though, the best way will be to
test this scenario.

> HTH,
> tim
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Shenk, Jerry A: "Web Application Hacker's Handbook"
• Previous message: Tim: "Re: Layer 2 arp snooping without Layer 3?"
• In reply to: Tim: "Re: Layer 2 arp snooping without Layer 3?"
• Next in thread: offset: "Re: Layer 2 arp snooping without Layer 3?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT