|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andrew (notfrombill_at_gates.com)
Date: Fri Oct 04 2002 - 05:42:45 CDT
Apologies for the long delay on this almost-dead thread ...
At 12:02am Sep 21 root
networkpenetration.com wrote:
//snip
> A couple of problems with the man in the middle attack
> ------------------------------------------------------
//snip
> Another problem with the attack is that it would only be a one
> way attack as the default gateway assigned by the rogue DHCP
> server is not the real default gateway. The fake gateway would
> need to sniff the packets and rewrite the MAC layer to enable
> the packets to be sent to the correct default gateway. The
> problem would occur with packets being sent from the correct
> default gateway back to the attacked machine as the packets
> would not pass through the rogue gateway, thus can not be
> sniffed. This basically means that all outgoing traffic can be
> sniffed and all incoming traffic can't.
>
> A full man in the middle attack can be established using
> programs such as Dsniff and Ettercap which both utilise ARP
> poisoning to establish the man in the middle attack.
//snip
How about: In order to obtain incoming and outgoing traffic, the
fake gateway assigns the victim an IP address on an unused
private subnet, and NATs the traffic to and from the victim.
#! /untested/code
DHCPASSIGNED=192.168.155.3 # What the real DHCP server assigned
PRIVIP=172.16.155.3 # What the fake server assigned
iptables -t nat -A PREROUTING -d $REAL -j DNAT --to $PRIVIP
iptables -t nat -A POSTROUTING -s $PRIVIP -j SNAT --to $REAL
(Alternatively, the fake gateway could advertise its route to the
victim via RIP for an neater exploit .. I think.)
&:-)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]