ARP Spoofing and Routing
From: Kyle Starkey (kstarkey_at_siegeworks.com)
Date: 09/30/05
- Previous message: Michael Gargiullo: "RE: oracle VA/PT"
- Next in thread: fabien degouet: "Re: ARP Spoofing and Routing"
- Reply: fabien degouet: "Re: ARP Spoofing and Routing"
- Maybe reply: Payton, Zack: "RE: ARP Spoofing and Routing"
- Reply: Rafael San Miguel Carrasco: "Re: ARP Spoofing and Routing"
- Maybe reply: Chayah Fox: "RE: ARP Spoofing and Routing"
- Maybe reply: Michael Gargiullo: "RE: ARP Spoofing and Routing"
- Maybe reply: Bartholomew, Brian J: "RE: ARP Spoofing and Routing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <pen-test@securityfocus.com> Date: Fri, 30 Sep 2005 12:33:26 -0600
Folks..
I was on site yesterday at a client doing some pen-test type work and
thought I might play around with some arpspoofing and see what I could
gather. I ran into a couple of problem and thought you all might have the
solution.
What I was trying to do was arpspoof a server so that I could intercept any
authentication requests that were made to it and grab passwds or hashes to
find some user accts. I was using the Auditors Toolkit bootable CD and the
arpspoof worked great. A tcpdump of the eth0 int when the spoof started
showed that I was getting all the traffic that should have been destined for
this server (hosts and server and myself were all in the same bcast seg
btw). However I was not running any deamons (ftp, samba, telnet, etc) to
answer these requests and as such was only seeing part of the conversation
and couldn't complete the connection to get the full auth request. So what
I need to know is how I go about sending packets that were destined for the
server originally to the actual server after I have had my
tcpdump/dsniff/etc doing the packet capture and filter. My ideas are as
follows and I could use some responses about them or OTHER ways I can
accomplish this...
1) routed routing traffic to the original host with a static ARP entry in my
host for the server I am spoofing so I don't spoof myself
2) some kind of proxy server that will capture and forward traffic based on
the dest addr of the packet and again a static arp entry for the host being
spoofed so we don't spoof ourselves
3) load ftpd, samba, telnet, to answer these requests, even if we are
denying auth people will still pass user credentials in an attempt to login,
after the arpspoof has happened...
4) some other already built tool that I have never heard of and should learn
to use...
If this makes no sense please feel free to flame me and call me an idiot,
but its been a long week and the coffee aint helping...
-K
Kyle R. Starkey
Senior Security Consultant
CISSP # 31718
Siegeworks LLC
Email: kstarkey@siegeworks.com
Cell: 435-962-8986
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
- Previous message: Michael Gargiullo: "RE: oracle VA/PT"
- Next in thread: fabien degouet: "Re: ARP Spoofing and Routing"
- Reply: fabien degouet: "Re: ARP Spoofing and Routing"
- Maybe reply: Payton, Zack: "RE: ARP Spoofing and Routing"
- Reply: Rafael San Miguel Carrasco: "Re: ARP Spoofing and Routing"
- Maybe reply: Chayah Fox: "RE: ARP Spoofing and Routing"
- Maybe reply: Michael Gargiullo: "RE: ARP Spoofing and Routing"
- Maybe reply: Bartholomew, Brian J: "RE: ARP Spoofing and Routing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
