Vulnerability Development mailing list archives
Re: Hijack IP Address using cable modem
From: cdowns <cdowns () SKILLSOFT COM>
Date: Wed, 28 Mar 2001 09:32:40 -0500
Patrick Maartense wrote:
DISCLAIMER A large cablenetwork company has been informed of this MISBEHAVIOUR and threatened to disconnect me. they would not think of a proper sollution : Purpose: A Hackers dream, work from your won PC with IP Addresses someone else owns: In short, Occupy IP Addresses someone else normally owns. Normal Broadband Cable networks either give out DHCP Addresses or a Fix Address or Address range. When doing a SNIF on the outbound iface a proper designed network should not broadcast ARP request not meant for the network on that end of the CableModem. Some Networks However are Weak Configurred and broadcast ARP for the entire shared medium through all Cable Modems attached to that Network. A smart hacker would setup the outbound iface to reply to all ARP requests it gets, therefor being able to take any IP Address that is broadcasted for. This makes folliwng possible: Dos. Hacking using Outhers Addresses Not to mention all other fun... any Comments on this ? -- --- Kind Regards Patrick Maartense (using Pine on a Text Console)
heres a snip from my subnet and they are guilty of this as i have known this for a while: [root@dsbelile /root]# tcpdump -i eth0 -vv -p arp -l > /tmp/media_sniff & tail -f /tmp/media_sniff [1] 4461 Kernel filter, protocol ALL, datagram packet socket tcpdump: listening on eth0 09:00:51.413545 B arp who-has 24.128.143.7 tell bvubr01.ne.mediaone.net 09:00:56.420043 > arp who-has bvubr01.ne.mediaone.net tell dsbelile.ne.mediaone.net (0:10:4b:6a:b2:15) 09:00:56.426959 < arp reply bvubr01.ne.mediaone.net is-at 0:b0:8e:f5:18:70 (0:10:4b:6a:b2:15) and bvubr01.ne.mediaone.net is the gateway / router for this subnet. [root@scavenger /root]# nslookup bvubr01.ne.mediaone.net Server: dns.corp.skillsoft.com Address: 10.0.2.78 Non-authoritative answer: Name: bvubr01.ne.mediaone.net Addresses: 24.128.8.240, 24.128.142.1 [root@scavenger /root]# also if you use ettercap ( either version ) or manually useing hunt and try any type of MITM attack useing the gateway and another machine on the subnet the entire subnet goes to crap. and it seams to me the router took a ARP flood and stopped resonding. im not positive but i think they are a form of cisco router. anyone have any ideas about this ? would love to hear and real good explanations. -D
Current thread:
- Re: Hijack IP Address using cable modem, (continued)
- Re: Hijack IP Address using cable modem Bill Munger (Mar 29)
- Re: Hijack IP Address using cable modem Mathias Wegner (Mar 28)
- Re: Hijack IP Address using cable modem Dick Visser (Mar 28)
- Re: Hijack IP Address using cable modem Reb (Mar 29)
- Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
- Re: Hijack IP Address using cable modem Patrick Maartense (Mar 28)
- Re: Hijack IP Address using cable modem Nick Summy (Mar 29)
- Re: Hijack IP Address using cable modem David Laganière (Mar 29)
- Re: Hijack IP Address using cable modem Clayton Hoskinson (Mar 29)
- Re: Hijack IP Address using cable modem moksha faced (Mar 29)
- Re: Hijack IP Address using cable modem cdowns (Mar 29)