arp problem
From: Bartłomiej (bartek@pjwstk.edu.pl)Date: 04/21/02
- Previous message: Berend-Jan Wever: "Re: Cross site scripting in almost every mayor website"
- Next in thread: Akatosh: "Re: arp problem"
- Reply: Akatosh: "Re: arp problem"
- Reply: dlaumann@suntzu.net: "RE: arp problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Apr 2002 14:45:15 +0200 From: "Bartłomiej" Konarski <bartek@pjwstk.edu.pl> To: bugtraq@securityfocus.com
Hi,
I have a small problem.
Situation:
We have linux box running kernel 2.4 with 2 NICs.
Let`s assume that
eth0 IP 10.1.1.1/8 MAC 11:11:11:11:11:11,
eth1 IP 192.168.0.1/24 MAC 22:22:22:22:22:22
We can even safely set the eth1 interface down, remove a patchcord from
this interface or it can be dummy0 interface.
On the second machine from network 10.0.0.0 (in our case 10.2.2.2) we try:
# arping 192.168.0.1
and we got the reply:
Unicast reply from 192.168.0.1 [11:11:11:11:11:11] 0.765ms
Looks strange - there is no proxy-arp turned on on any of the interfaces.
What can we do with this knowledge ? For example we can try to find
suspected masquerade machines in our network.
It is also very easy to scan for private networks behind the suspected
machines.
We tried this under Linux kernel 2.4
This technique didn`t work with multihomed MS-Windows machine.
It didn`t work on cisco 2500 series either.
The questions are:
How to turn this off ?
Is it only a feature of the kernel series 2.4 ?
-- Bartek Konarski GPG/PGP Key: http://www.bss.pjwstk.edu.pl/bartek.asc
- application/pgp-signature attachment: stored
- Previous message: Berend-Jan Wever: "Re: Cross site scripting in almost every mayor website"
- Next in thread: Akatosh: "Re: arp problem"
- Reply: Akatosh: "Re: arp problem"
- Reply: dlaumann@suntzu.net: "RE: arp problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
