Re: Layer 2 arp snooping without Layer 3?

Hello,

Well you could poison one's cache but without you having an ip address it
will be pointless. Arp is used to map l2 to l3. So if you send rogue

Actually... isn't it supposed to map L3 to L2? This is probably an
important distinction here.

packets saying that mac 11:22:33:44:55:66 is on your ip address without you
having one the hosts will start sending packets to the rogue ip address (
that should be yours) and because you don't have it setup the traffic will
go to /dev/null ( the switches will forward it to you nic but you won't
have an ip address and the kernel will most likely discard it). I think
this is what will happen. And ARP is designed to find an address based on
another one.

If we falsely advertize that a given IP address maps to our NIC address,
then the switch should send those packets to that NIC regardless of
whether or not we have an IP, right? Sure, the kernel will discard
those packets but that shouldn't matter if we're listening on the raw
device in promiscuous mode. So, in theory it should be possible, though
please correct me if my understanding is flawed.

Now the applicable questions are: Does Linux lets you go into
promiscuous mode while you're bridging? Does Linux let you send false
ARP packets on an interface that's bridging?

The former question I would guess is a yes. If not, you could at a
minimum use iptables in bridging mode to redirect some packets to some
place where you can more easily sniff them.

The latter question I'm not sure on, but even if there were a kernel
limitation on that, you could poison the switch from another interface
or system.

HTH,
tim

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Layer 2 arp snooping without Layer 3?
    ... Arp is used to map l2 to l3. ... So if you send rogue ... having one the hosts will start sending packets to the rogue ip address ( ...
    (Pen-Test)
  • Re: Layer 2 arp snooping without Layer 3?
    ... I've been talking about inverse arp. ... having one the hosts will start sending packets to the rogue ip address and because you don't have it setup the traffic will go to /dev/null. ... ARP packets on an interface that's bridging? ...
    (Pen-Test)
  • Re: False negative on anti sniffing programme.
    ... >> folowed the approach of sending arp request packets to the IP of the ... >> responding to these packets despite not being in promiscuous mode. ... sniffers, we can't help you, cos you really can't do anything worthwhile". ...
    (Security-Basics)
  • RE: ARP Spoof Question
    ... I remember reading an article a while back about sending frequent ... spoofed ARP packets to receive packets but have been unable to locate ... Subject: ARP Spoof Question ... I have it in my switch table, because ...
    (Security-Basics)
  • Re: ARP requests
    ... Keep in mind that ARP packets are a normal part of the communication process ... Your IP layer will issue an ARP ... > packet, a DHCP Request, with just your hardware (MAC) address. ...
    (comp.security.firewalls)