lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dbounds at intrusense.com (Darren Bounds)
Subject: Static ARP Replies?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Dan,

What does it prevent exactly? It certainly doesn't prevent gratuitous 
ARPs nor does it prevent someone from responding with their own ARP 
replies. As far as I can tell, it's nothing more than a feeble attempt 
to route *ALL* traffic through the gateway including local subnet 
traffic. Easily subverted.


Thanks,

Darren Bounds, CISSP

443D 628D 0AC7 CACF 6085
C0E0 B2FC 534B 3D9E 69AF

- --
Intrusense - Securing Business As Usual



On Aug 5, 2004, at 11:15 PM, Dan Taylor, Jr. wrote:

> I have encountered a few 802.11b public access points (I can't
> remember the vendors, but they were for hotels) that seem to have
> built-in ARP cache poisoning prevention.  I found it nonetheless
> impressive and am looking for solutions to implement it (presumably
> with my own wireless card and hostap drivers).
>
> Here's what happens on one of these networks:
>
> Say the AP's MAC address is DE:AD:C0:DE:CA:FE, with the IP of
> 192.168.1/255.255.255.0, and I send out an ARP request for hosts
> 192.168.1.2-254.
>
> Say my MAC address is FE:ED:FA:CE:BE:EF, with the IP address of 
> 192.168.1.100
> --> ARP broadcast (source FE:ED:FA:CE:BE:EF destination 
> FF:FF:FF:FF:FF:FF)
> --> Who has 192.168.1.2?  Tell 192.168.1.100
>
> --< ARP Reply (source DE:AD:C0:DE:CA:FE, destination FE:ED:FA:CE:BE:EF)
> --< 192.168.1.2 is at DE:AD:C0:DE:CA:FE
>
> I'm assuming this is a rather effective way of not only preventing ARP
> poisoning attacks, but making it so that all communication is
> virtually done between the client and the access point).
> Has anyone seen this feature implemented in any other access points?
> To what extent does this work and/or it's behavior on layer-2
> broadcasting or client to client (mac address to mac address)
> communications?
>
> Thanks.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBE2vtsvxTSz2eaa8RAkuxAJ4nfkPZB4fzYyuRJVzgNbg3svARqgCePjTf
fzuZ7t1FOZku2hYTha53GJY=
=Fy2C
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ