Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Layer 2 arp snooping without Layer 3?

From: offset (offsetubersecurity.org)
Date: Thu Oct 25 2007 - 15:27:04 CDT

On Thu, Oct 25, 2007 at 12:36:49PM -0400, Tim wrote:
> Hello,
> > Well you could poison one's cache but without you having an ip address it
> > will be pointless. Arp is used to map l2 to l3. So if you send rogue
> Actually... isn't it supposed to map L3 to L2? This is probably an
> important distinction here.
> > packets saying that mac 11:22:33:44:55:66 is on your ip address without you
> > having one the hosts will start sending packets to the rogue ip address (
> > that should be yours) and because you don't have it setup the traffic will
> > go to /dev/null ( the switches will forward it to you nic but you won't
> > have an ip address and the kernel will most likely discard it). I think
> > this is what will happen. And ARP is designed to find an address based on
> > another one.
> If we falsely advertize that a given IP address maps to our NIC address,
> then the switch should send those packets to that NIC regardless of
> whether or not we have an IP, right? Sure, the kernel will discard
> those packets but that shouldn't matter if we're listening on the raw
> device in promiscuous mode. So, in theory it should be possible, though
> please correct me if my understanding is flawed.

I can arp poison another system without having an IP address bound to a NIC,
so I know this is possible, I can only successfully do mitm with L3 (thus far)
using IP forwarding.

Brainstorming ideas for mitm using only L2 without ever having an IP address
bound to a NIC to further avoid detection.

> Now the applicable questions are: Does Linux lets you go into
> promiscuous mode while you're bridging? Does Linux let you send false
> ARP packets on an interface that's bridging?
> The former question I would guess is a yes. If not, you could at a
> minimum use iptables in bridging mode to redirect some packets to some
> place where you can more easily sniff them.
> The latter question I'm not sure on, but even if there were a kernel
> limitation on that, you could poison the switch from another interface
> or system.

My goal with L2 is to have victim frames coming to my machine, view the
packets (ie. tcpdump, etc), but have the frames sent back out to the real
gateway to avoid a DoS situation against the victim. L3 does this for you
via IP forwarding, L2 is another matter.


This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!