Windows 2000 Static arp not static

From: Tim Habex (tim.habex@eenderwat.be)
Date: 02/13/03

  • Next message: Anthony Kim: "Re: Windows 2000 Static arp not static" 
    From: "Tim Habex" <tim.habex@eenderwat.be>
To: <focus-ms@securityfocus.com>, <vuln-dev@securityfocus.com>
Date: Thu, 13 Feb 2003 00:53:44 +0100

    Dear all,

    I am quite new to this. I posted this on bugtraq first, but David Ahmad
    asked to post it in FOCUS-MS and vuln-dev. So here I go :o)

    This is the setup :
    1 Windows 2000 Professional (SP3)
    1 Linux Slackware (gateway)
    1 Debian Linux
    1 switch

    (The linux distro's doesn't really matter)

    When using ethercap on the network from de Debian machine, I was able to see
    and control all trafic. (nothing new right?)
    Ethercap is doing this by making the network believe everything should be
    sent to the MAC-address of the ethercap machine which in my case was the
    Debian machine.

    To prevent this behaviour, I setup static routes both on the gateway and the
    Windows machine. Yet I didn't get the result I was expecting.
    I was still able to see packets on the Debian machine, yet I was no longer
    able to control the packets.

    When I looked at the arp cache of Linux, the static entry was there and
    working (?), but on the Windows machine, THE VALUE OF THE STATIC ARP WAS
    CHANGED. When ethercap was disabled, the static arp entry was returned to
    the original value.

    Meaning Windows 2000 desktops (and servers?) can always be sniffed even when
    using a switch. On top of that, your network is probably vulnerable to the
    man-in-the-middle attacks if you're relying on MS-technology only.
    I don't know if they are still vulnerable to a man-in-the-middle attack if
    you're using eg. a Linux router with static routes. My "hacking" knowlege is
    quite limited. But I can imagine there are people who know how to gain from
    this "feature".

    If this is a known problem, why hasn't this been fixed. If unknown ... is
    Microsoft reading this? ;o)
    Can some experienced securityadvisors perform more tests on this? eg. Other
    (Windows) OSes, other types of attacks.

    Hoping this can be usefull

    Tim

    Relevant Pages

    • Windows 2000 Static arp not static
      ... Windows 2000 Professional ... Linux Slackware ... When using ethercap on the network from de Debian machine, ...
      (Vuln-Dev)
    • Re: Future of IT in Lebanon
      ... working knowledge of Indian programmers DNA, nor of their intuitive Java ... > So Longhorn is not an experiment and Linux is an experiment? ... another chapter in the Windows story, and the Microsoft marketing machine is ... > application opens, Check the about, it says Microsoft Visual Basic 6.3. ...
      (soc.culture.lebanon)
    • FTP DOWNLOAD! More than 6500 CRACKED SOFTWARE(CAD,CAE,CAM,ED
      ... Autodesk Architectural Desktop 2005 ... DASSAULT SYSTEMES CAA ENOVIA LCA V5R13 ... ALTAIR.OPTISTRUCT V5.1 for LINUX ... ANSYS V8.0 FOR WINDOWS ...
      (microsoft.public.dotnet.framework.adonet)
    • Linux for Senior Citizens
      ... Linux for Senior Citizens ... For such people, I believe, Windows really is a better option: ... The kernel manages all the hardware and also looks after all running ...
      (uk.people.silversurfers)
    • Re: Future of IT in Lebanon
      ... It's the same Linux code base. ... Microsoft Office on a Windows server, it will install and run fine, the main ...
      (soc.culture.lebanon)