[TOOL] ARP0c Connection Interceptor

From: support@securiteam.com
Date: 09/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 22 Sep 2002 21:54:52 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ARP0c Connection Interceptor
------------------------------------------------------------------------

DETAILS

ARP0c is a connection interceptor (using ARP spoofing and a bridging
engine).

ARP requests from various sources in a switched environment get false ARP
response packets that point them to the host running ARP0c. Packets from
these hosts are bridged with an internal engine to the real destination
address to allow normal network operation and keep TCP connections alive.
Packets to hosts in remote (read: reachable using a router) subnets are
forwarded to a gateway using an internal routing table - independent from
the hosts routing table.

ADDITIONAL INFORMATION

The tool can be downloaded from:
 <http://www.phenoelit.de/arpoc/> http://www.phenoelit.de/arpoc/

The information has been provided by <mailto:fx@phenoelit.de> FX.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [REVS] Sinit P2P Trojan Analysis
    ... A common tactic among Trojan writers is the multi-stage install. ... intermediary layer of 20 hosts that would point it to the real download ... Sinit, there is no central server that can be shut down. ... The packets Sinit uses in its discovery protocol were detected quickly by ...
    (Securiteam)
  • Re: False negative on anti sniffing programme.
    ... >> folowed the approach of sending arp request packets to the IP of the ... >> responding to these packets despite not being in promiscuous mode. ... sniffers, we can't help you, cos you really can't do anything worthwhile". ...
    (Security-Basics)
  • R: remapping IP addresses for inbound and outbound traffic
    ... I guess you can't do this, since a believe there is a single linux arp table. ... If you had hosts with unique IPs on both nets, that would be another story: you could use some sort of VPN or Bridge functionality. ... You could also be able to avoid packets passing through the bridged/VPNed interfaces thanks to iptables. ... Let one Linux box have two interfaces to IPv4 networks, ...
    (Linux-Kernel)
  • Re: mac to ip address tools
    ... networks (when deploying an IDS, to determine which hosts are up, what ... you can "force" traffic by doing a ping sweep of the network so ... you get both the ARP replies ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: Layer 2 arp snooping without Layer 3?
    ... Arp is used to map l2 to l3. ... So if you send rogue ... having one the hosts will start sending packets to the rogue ip address ( ...
    (Pen-Test)