[TOOL] Windows ARP Spoofer
From: SecuriTeam (support_at_securiteam.com)
Date: 04/25/04
- Previous message: SecuriTeam: "[EXPL] TCP Window Size RST"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Apr 2004 19:29:12 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Windows ARP Spoofer
------------------------------------------------------------------------
SUMMARY
DETAILS
The WinArpSpoof program is a strong Windows-based ARP spoofer program with
GUI based on the CBuildPacket class.
1.1 What is ARP spoofing?
ARP spoofing, also called ARP Cache poisoning is one of the hacking
methods to spoof the contents of an ARP table on a remote computer on the
LAN. Two addresses are needed for one computer to connect to other
computer on an IP/Ether network. One address is the MAC address; the other
is the IP address. A MAC address is used on a local area network before
packets go out of the gateway; an IP address is used to surf the Internet
through a gateway. There is a protocol that asks, "who has this MAC
address" and answers the question; that is called ARP (Address Resolution
Protocol). What the ARP asks the target address for sending is called the
ARP Request or ARP who has, and the ARP that responds to the request is
called the ARP Request or ARP who has. Although wrong information is
inserted into ARP, the computer believes that the information of the ARP
is valid and saves the information in own ARP table for a while. This is
ARP spoofing.
1.3 CBuildPacket Class
CBuildPacket is a class that builds a WinArpSpoofer program. Its general
purpose is to easily build a cooked packet throwing into the network. It
is hard to understand and use existing libnet libraries and so forth in MS
Visual.NET, so Gordon Ahn have newly designed this class.
The current version of the CBuildPacket class provides some methods for
building and sending an ARP to the network. The future version of this
class will provide many various types of network packets for building TCP,
IP, icmp, and the like.
WinArpSpoofer has been built based on the current CBuildPacket class. It
could pull and collect all packets without users' recognition. The current
version, 0.1, has been built for spoofing ARP tables and actually
forwarding packets, so we didn't consider a neat and convenient user
interface. For the future, when upgrading, that point will be improved.
1.4 Features of WinArpSpoofer
Functions and features of the WinArpSpoofer:
* Pull and collect all the packets on the LAN.
* Show the active hosts on the LAN within a very short time (~1-2
seconds)
* While spoofing ARP tables, it can act as another gateway (or
ip-forwarder) without other users' recognition on the LAN.
* Collect and forward packets by selecting inbound, outbound, and both to
be sent to the Internet.
* An ARP table is recovered automatically in a little time (about 30
seconds). But, this program can keep spoofing continuously with periodic
time.
* Although one or more network interface cards are installed on a
computer, this program can scan and spoof by selecting one of NICs.
Because most functions are processed through threads, this program is
faster than you think. Spoofing itself doesn't allocate much CPU time. So,
if there are many active hosts on the LAN, the problem related to CPU time
will be different.
Obtaining the Tool:
The source code for the CBuildPacket class can be found at:
<http://www.nextsecurity.net/downloads/winarpspoof/CBuildPacket.zip>
http://www.nextsecurity.net/downloads/winarpspoof/CBuildPacket.zip
The tool binaries can be downloaded from:
<http://www.nextsecurity.net/downloads/winarpspoof/WinArpSpoof.zip>
http://www.nextsecurity.net/downloads/winarpspoof/WinArpSpoof.zip
ADDITIONAL INFORMATION
The information has been provided by <mailto:tachyon@nextsecurity.net>
Gordon Ahn.
The tool's web page is located at:
<http://www.nextsecurity.net/products/winarpspoof/WinARPSpoof.htm>
http://www.nextsecurity.net/products/winarpspoof/WinARPSpoof.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] TCP Window Size RST"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
