lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200409152001.29558@M3T4>
From: fdlist at digitaloffense.net (H D Moore)
Subject: Re: The ArpSucker is b0rn! Be yourself, be the net.

There are actually some legitimate uses for this kind of stuff. The 
attached Perl script will enforce IP/MAC combinations on the local 
subnet. It was designed to catch ARP spoofing attacks and discourage[1] 
unauthorized systems from connecting to the segment that it monitors. If 
you run this script on an external segment, it will convince your router 
that each non-used address address exists and that it should forward the 
IP packet on. This can be useful when you want to monitor ALL traffic 
destined for your external network and don't have an upstream tap.

This script requires the Net::Pcap module and uses the Linux-specific 
SOCK_PACKET interface, YMMV. The configuration file looks suspiciously 
like the output of arp -n. To use it, send an IP packet to each host on 
your local subnet, dump your ARP cache, and manually add your own IP 
address:

# nmap -sP 192.168.0.0/24
# arp -n | grep -v Address > arpguard.conf
# ifconfig
< read IP + MAC >
# echo -e "192.168.0.XXX ether 00:11:22:33:44:55 C eth0" >> arpguard.conf
# perl arpguard.pl -i eth0 -f arguard.conf -t
[.. test it out ..]
# nohup perl arpguard.pl -i eth0 -f arguard.conf &

Then watch syslog for messages like:

arpguard.pl: ethernet address mismatch for XXX: real=XXX fake=XXX

If you change the DEFACEDFEEDD MAC address to your own, it will provide 
the exact same functionality as ArpSucker (just in a cleaner package). To 
use it in this fashion, the configuration file should only contain your 
IP and that of the default gateway. If you would like to exclude any 
other address from the attack, just add the corresponding entries to the 
configuration file.

-HD

1. Any Windows/MacOS system trying to connect to the network segment will 
received "Address already in use" error messages, regardless of what 
range they try to use on the monitored segment. If you don't see the 
alert generated by arpguard and they keep fighting for the address at the 
ARP level, there is a decent chance they can get away with using the 
segment anyways.  It should also be obvious that anyone spoofing their 
MAC address would be able to defeat this system. Then again, anyone who 
first connects to the system may not notice arpguard until it has already 
thrown an alert...


On Monday 13 September 2004 15:05, Alpt wrote:
>         Freaknet Death C is pride to present ya:
>  }----------------- (The ArpSucker) ----------------{
>
> Hi folks,
> Did you ever dreamed to become the net, to be a big, bad, black, black,
> black hole?
> Yep! I did.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arpguard.pl
Type: application/x-perl
Size: 3901 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040915/1439f2aa/arpguard.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ