Re: MiM Simultaneous close attack

From: jaywhy (jaywhy2@home.com)
Date: 08/18/01 

Date: Sat, 18 Aug 2001 13:20:36 -0400
Subject: Re: MiM Simultaneous close attack
From: jaywhy <jaywhy2@home.com>
To: Paul <paulbugtraq@263.net>, <vuln-dev@securityfocus.com>
Message-ID: <B7A41C23.124B%jaywhy2@home.com>

I already send a message to vuln-dev about this. But I will explain your
scenario more in depth.

                 internet
                    |
                 +--+-----+
                 | gateway|
                 +--+-----+
                    |MAC1(gg:gg)ip,gg.gg
                    |
                    |port3
          port1 +---+---+ port2
       +--------+switch +---------------------+
       | +-------+ |
   +---+-----+ +---+---+
   | Hub1 +--host c ip cc,cc | HUB2 |
   +-+-----+-+ mac cc:cc +---+---+
     | |
   Host A(MAC2 aa:aa) Host B(mac bb:bb)ip,bb.bb
  ip:aa.aa

Lets say there is a host on hub2 that has the ip 10.0.0.3(Host B) and he
want to connect to a host with ip 10.0.0.2(Host A).

Host A wants connect to Host B telnet server or something like that.

Host A will send a broadcast out like this

Arp Broadcast who-has 10.0.0.3 tell (Host A mac address)

The message will be sent to the broadcast ff:ff:ff:ff:ff:ff ethernet
address. The router recieves the broadcast and forwards it to all ports.
Everything connected to that router will receive the broadcast. The router
how ever will not forward the broadcast out of that network it will simple
be dropped. Although some misconfigured routers to forward broadcasts but
that is really doubtful.

Now host b will respond to the arp request with his mac address.

Arp reply (host A mac address) is-at (Host B mac address)

Since all ports connected to that router receive the broadcast nothing holds
Malicious computer Host M from responding as well.

Arp reply (host A mac address) is at (Host M Spoofing as Host B ip address)

Arpspoof does this for you. It replies to the arp request even though it
not it's ip address requested, and it send back it's mac address as though
it were really host b. Host A is in the dark, it has no clue Host B is
really Host M.

Using arpspoof to spoof the address and you also use dsniff as a packet
sniffer. Host M will act as a router between Host A and Host B using a
program called fragrouter it will forward the data between Host A and Host b
so the connection will not be dropped, and it will go undetected.

Host A --------> Host M(with fragrouter) -------> Host B
Host B --------> Host M(with fragrouter) -------> Host A 

-- 
Jason Yates
jaywhy2@home.com

Relevant Pages

  • Re: Problem related with Subnetting
    ... Can a host in 10.0.0.X talk with a host in ... router or gateway machine. ... The way that machines locate each other is that they send out broadcast ... ARP packets asking for information on the destination IP. ...
    (comp.os.linux.networking)
  • Re: Problem related with Subnetting
    ... Can a host in 10.0.0.X talk with a host in ... router or gateway machine. ... The way that machines locate each other is that they send out broadcast ... ARP packets asking for information on the destination IP. ...
    (comp.unix.programmer)
  • Re: Blocking access to a network
    ... >> ending 5 so I think in theory no one else could connect to the router ... > to exploit a wireless connection is when limiting the number of DHCP ... MAC address. ... So the host is configured for DHCP for its IP assignment ...
    (comp.security.firewalls)
  • Re: Static IP outside of router DHCP range
    ... find a method to put hard-wired Mac addresses into this Linksys router. ... attributes defined on the host itself that chooses to use a static IP ... If the user wanted port forwarding to work on MAC addresses then he ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Blocking access to a network
    ... since the router is not a wireless router where a ... >> to exploit a wireless connection is when limiting the number of DHCP ... > configured to always assign the same IP address to a host based on its MAC ... that information is in the DHCP table and the IP is linked to the MAC ...
    (comp.security.firewalls)