Bugtraq mailing list archives
arprelay: a tool to edit TCP connections in a LAN
From: felix () CODEBLAU DE (Felix von Leitner)
Date: Sat, 10 Jun 2000 00:42:45 +0200
Dear target audience, I have recently written a tool called arprelay that will forward IP packets between to machines on an Ethernet who have each been told that the MAC address of the other is some random spoofed MAC address. As far as I know, ARP relaying has until now only been publicized as method to enable sniffing in switched environments. It can obviously also be used to rewrite the packets as you forward them. Since ARP spoofing is a well established technique, you can just use a tool from someone else for this, arprelay does not do this. I recommend http://teso.scene.at/releases/arpmitm-0.1.tar.gz for this because it is small and gets the job done. You can get arprelay from http://www.fefe.de/arprelay/arprelay.tar.gz arprelay uses libnet and pcap and can edit the payload of the proxied packets. Since this is just proof-of-concept code, the user interface is very crude. You tell arprelay the IP and MAC addresses of Alice and Bob (the two machines whose communication you want to proxy) and the MAC address you spoofed on both machines. To change the editing that arprelay does, you have to edit the source code (change the char* "quelle" and "ziel" in the lines 97 and 98). arprelay will (well, should) make sure that the TCP checksum stays valid. Since arprelay does not implement any fragmentation or TCP details, I chose to focus on single packets. The current code can neither insert nor delete characters, but that is obviously not an inherent limitation of this type of attack. I am planning to write a "proper" version of this tool that will use the Linux Ethernet tap device to have the kernel do TCP and fragmentation and spawn an external TCP proxy process for each new TCP connection, but the error handling is tricky and resource contention is a problem, so I haven't actually gotten around to do it. This attack should make clear that SecurID and one time passwords are worthless unless protected by strong cryptography or separate cabling. If you haven't noticed yet: yes, this not only works on switched networks, it works even better than on non-switched environments, because attacked hosts using tcpdump can not see the duplicate packets. Felix von Leitner Code Blau Security Concepts PS: Since I tested this code using static ARP entries with the wrong MAC address for testing, the code will not work out of the box if you do use arpmitm unless you delete the lines 223-236 from t.c.
Current thread:
- Sendmail local root exploit on linux 2.2.x Florian Heinz (Jun 08)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)
- Re: Snort 1.6 and nmap 2.54beta1 Simple Nomad (Jun 14)
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
- Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
- Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Andrey Savochkin (Jun 16)
- Re: Splitvt exploit Joey Hess (Jun 16)
- NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Kris Kennaway (Jun 15)
- Re-release of IIS 5.0 Patch for MS00-031 Microsoft Product Security (Jun 16)
- Infosec.20000617.panda.a Ian Vitek (Jun 17)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)
- Reliable Software Technologies releases new e-mail virus protection software Tim Hollebeek (Jun 14)