Re: Windows 2000 Static arp not static

From: Anthony Kim (Anthony.Kim@VW.COM)
Date: 02/13/03

  • Next message: D. Ian Miller: "Re: Website inside or outside domain" 
    Date: Thu, 13 Feb 2003 12:42:48 -0600
From: Anthony Kim <Anthony.Kim@VW.COM>
To: focus-ms@securityfocus.com

    On Thu, Feb 13, 2003, Tim Habex wrote:

    > Dear all,
    >
    > I am quite new to this. I posted this on bugtraq first, but
    > David Ahmad asked to post it in FOCUS-MS and vuln-dev. So here
    > I go :o)
    >
    > This is the setup : 1 Windows 2000 Professional (SP3) 1 Linux
    > Slackware (gateway) 1 Debian Linux 1 switch
    >
    > (The linux distro's doesn't really matter)
    >
    > When using ethercap on the network from de Debian machine, I
    > was able to see and control all trafic. (nothing new right?)
    > Ethercap is doing this by making the network believe everything
    > should be sent to the MAC-address of the ethercap machine which
    > in my case was the Debian machine.

    > To prevent this behaviour, I setup static routes both on the
    > gateway and the Windows machine. Yet I didn't get the result I
    > was expecting. I was still able to see packets on the Debian
    > machine, yet I was no longer able to control the packets.

    Because arp happens before routing, I'm not sure how much static
    routes will get you, unless you meant static arp entries.

    > When I looked at the arp cache of Linux, the static entry was
    > there and working (?), but on the Windows machine, THE VALUE OF
    > THE STATIC ARP WAS CHANGED. When ethercap was disabled, the
    > static arp entry was returned to the original value.

    I wouldn't be surprised if this was still true. (Won't test here
    at work ;-)

    It was a deficiency back in the NT days that caused all sorts of
    problems for software firewalls requiring an arp proxy.
    (Checkpoint anyone?)

    > Meaning Windows 2000 desktops (and servers?) can always be
    > sniffed even when using a switch. On top of that, your network
    > is probably vulnerable to the man-in-the-middle attacks if
    > you're relying on MS-technology only. I don't know if they are
    > still vulnerable to a man-in-the-middle attack if you're using
    > eg. a Linux router with static routes. My "hacking" knowlege is
    > quite limited. But I can imagine there are people who know how
    > to gain from this "feature".

    Most people would lock arp tables on the switch and not on the
    host. If you're relying on MS-technology only, you probably have
    a boatload of other problems to take care of... ;-)