Re: ARP Spoofing and Routing

From: Rafael San Miguel Carrasco (smcsoc_at_yahoo.es)
Date: 10/02/05

  • Next message: Vince Cambell: "John The Ripper For Win32" 
    Date: Sun, 02 Oct 2005 14:32:46 +0200
To: Kyle Starkey <kstarkey@siegeworks.com>

    Remember that you may need to add a rule in iptables to avoid your
    TCP/IP stack generating ICMP_REDIRECT messages:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -A OUTPUT -p icmp --icmp-type redirect -j REJECT

    Greetings,

    Rafael San Miguel Carrasco

    Kyle Starkey wrote:

    >Folks..
    >I was on site yesterday at a client doing some pen-test type work and
    >thought I might play around with some arpspoofing and see what I could
    >gather. I ran into a couple of problem and thought you all might have the
    >solution.
    >
    >What I was trying to do was arpspoof a server so that I could intercept any
    >authentication requests that were made to it and grab passwds or hashes to
    >find some user accts. I was using the Auditors Toolkit bootable CD and the
    >arpspoof worked great. A tcpdump of the eth0 int when the spoof started
    >showed that I was getting all the traffic that should have been destined for
    >this server (hosts and server and myself were all in the same bcast seg
    >btw). However I was not running any deamons (ftp, samba, telnet, etc) to
    >answer these requests and as such was only seeing part of the conversation
    >and couldn't complete the connection to get the full auth request. So what
    >I need to know is how I go about sending packets that were destined for the
    >server originally to the actual server after I have had my
    >tcpdump/dsniff/etc doing the packet capture and filter. My ideas are as
    >follows and I could use some responses about them or OTHER ways I can
    >accomplish this...
    >
    >1) routed routing traffic to the original host with a static ARP entry in my
    >host for the server I am spoofing so I don't spoof myself
    >
    >2) some kind of proxy server that will capture and forward traffic based on
    >the dest addr of the packet and again a static arp entry for the host being
    >spoofed so we don't spoof ourselves
    >
    >3) load ftpd, samba, telnet, to answer these requests, even if we are
    >denying auth people will still pass user credentials in an attempt to login,
    >after the arpspoof has happened...
    >
    >4) some other already built tool that I have never heard of and should learn
    >to use...
    >
    >
    >If this makes no sense please feel free to flame me and call me an idiot,
    >but its been a long week and the coffee aint helping...
    >
    >-K
    >
    >Kyle R. Starkey
    >Senior Security Consultant
    >CISSP # 31718
    >Siegeworks LLC
    >Email: kstarkey@siegeworks.com
    >Cell: 435-962-8986
    >
    >
    >------------------------------------------------------------------------------
    >Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    >Hackers are concentrating their efforts on attacking applications on your
    >website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    >login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    >futile against web application hacking. Check your website for vulnerabilities
    >to SQL injection, Cross site scripting and other web attacks before hackers do!
    >Download Trial at:
    >
    >http://www.securityfocus.com/sponsor/pen-test_050831
    >-------------------------------------------------------------------------------
    >
    >
    >
    >

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: Vince Cambell: "John The Ripper For Win32"

    Relevant Pages

    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • RE: DCOM Security.
      ... connection to a domain server, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • RE: Penetration test of 1 IP address
      ... You could use a whole sleth of tools on some server, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Check your website for vulnerabilities to SQL injection, ... Up to 75% of cyber attacks are launched on shopping ...
      (Pen-Test)
    • Re: ARP Spoofing and Routing
      ... I would like to know how to go abt spoofing arp caches, ... >What I was trying to do was arpspoof a server so that I could intercept ... Up to 75% of cyber attacks are launched on shopping carts, forms, ... Check your website for ...
      (Pen-Test)
    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)