Re: Layer 2 arp snooping without Layer 3?

[Nikolaj <lorddoskias () gmail com>]

offset wrote:
> I've been playing with arp poisoning lately and had some questions about arp poisoning without layer 3.
>
> Is it possible to configure a linux system with one NIC to act as a layer 2 bridge instead of using IP forwarding 
> (layer 3)?
>
> I can poison another systems arp cache to come to my MAC address for its default gateway, but I'd like to do mitm 
> snooping without my NIC having an IP address signed.
>
> Just asking if this is a possibility to configure linux bridging to route traffic destined for my MAC to be routed back 
> out at layer 2 to the real default gateway MAC.
>
> I've been playing around with setting up a layer 2 bridge (bridge-utils) on linux, but not sure if I can say, all 
> packets that arrive to my bridge via arp poisoning will be re-routed out to the default gateway MAC to keep the victims 
> network from halting due to lack of layer 3 (no ip address to forward through).
>
> Regards,

Well you could poison one's cache but without you having an ip address 
it will be pointless. Arp is used to map l2 to l3. So if you send rogue 
packets saying that mac 11:22:33:44:55:66 is on your ip address without 
you having one the hosts will start sending packets to the rogue ip 
address ( that should be yours) and because you don't have it setup the 
traffic will go to /dev/null ( the switches will forward it to you nic 
but you won't have an ip address and the kernel will most likely discard 
it). I think this is what will happen. And ARP is designed to find an 
address based on another one.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------