Re: ARP Spoofing and Routing

From: Rafael San Miguel Carrasco (smcsoc@yahoo.es)
Date: Sun Oct 02 2005 - 08:32:46 EDT


Remember that you may need to add a rule in iptables to avoid your
TCP/IP stack generating ICMP_REDIRECT messages:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A OUTPUT -p icmp --icmp-type redirect -j REJECT

Greetings,

Rafael San Miguel Carrasco

Kyle Starkey wrote:

>Folks..
>I was on site yesterday at a client doing some pen-test type work and
>thought I might play around with some arpspoofing and see what I could
>gather. I ran into a couple of problem and thought you all might have the
>solution.
>
>What I was trying to do was arpspoof a server so that I could intercept any
>authentication requests that were made to it and grab passwds or hashes to
>find some user accts. I was using the Auditors Toolkit bootable CD and the
>arpspoof worked great. A tcpdump of the eth0 int when the spoof started
>showed that I was getting all the traffic that should have been destined for
>this server (hosts and server and myself were all in the same bcast seg
>btw). However I was not running any deamons (ftp, samba, telnet, etc) to
>answer these requests and as such was only seeing part of the conversation
>and couldn't complete the connection to get the full auth request. So what
>I need to know is how I go about sending packets that were destined for the
>server originally to the actual server after I have had my
>tcpdump/dsniff/etc doing the packet capture and filter. My ideas are as
>follows and I could use some responses about them or OTHER ways I can
>accomplish this...
>
>1) routed routing traffic to the original host with a static ARP entry in my
>host for the server I am spoofing so I don't spoof myself
>
>2) some kind of proxy server that will capture and forward traffic based on
>the dest addr of the packet and again a static arp entry for the host being
>spoofed so we don't spoof ourselves
>
>3) load ftpd, samba, telnet, to answer these requests, even if we are
>denying auth people will still pass user credentials in an attempt to login,
>after the arpspoof has happened...
>
>4) some other already built tool that I have never heard of and should learn
>to use...
>
>
>If this makes no sense please feel free to flame me and call me an idiot,
>but its been a long week and the coffee aint helping...
>
>-K
>
>Kyle R. Starkey
>Senior Security Consultant
>CISSP # 31718
>Siegeworks LLC
>Email: kstarkey@siegeworks.com
>Cell: 435-962-8986
>
>
>------------------------------------------------------------------------------
>Audit your website security with Acunetix Web Vulnerability Scanner:
>
>Hackers are concentrating their efforts on attacking applications on your
>website. Up to 75% of cyber attacks are launched on shopping carts, forms,
>login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>futile against web application hacking. Check your website for vulnerabilities
>to SQL injection, Cross site scripting and other web attacks before hackers do!
>Download Trial at:
>
>http://www.securityfocus.com/sponsor/pen-test_050831
>-------------------------------------------------------------------------------
>
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT