Re: Redir games with ARP and ICMP

der Mouse (mouse@RODENTS.MONTREAL.QC.CA)
Sat, 20 Sep 1997 07:42:33 -0400

> Not only that but a switched network allows you to make purely
> unicast address attacks that the monitoring station won't see as the
> lan admin is himself switched from your packets...

It's a pretty stupid admin who counts on a station being able to sniff
attacks and then puts the monitoring station behind a switch.

Not that there aren't plenty of stupid admins out there, of course.
But I certainly know if _I_ were counting on my monitoring station
being able to snoop such things I'd make damn sure the switch forwarded
everything to it. (All switches I've seen are capable of this.)

> A filtering hub lets you perform this attack

> ping the two hosts you wish to snoop between.

> Using the mac address you learn via arp send both a unicast arp
> giving yourself as the answer for the other IP address.

"arp info for 0x11223344 overwritten by 01:02:03:04:05:06"

Not that anyone will necessarily notice, of course, but still.

der Mouse

mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B