Arp Packet Hacking
Originally Posted: 12/28/2003
Part deux of Want to know how to really hack?
Question: can i arp poison a MAC which is not in my LAN or Network?
What about double-encapsulation? Like embedding the arp within something else.. I'd study the wire capture for awhile and use tools like isic and hping3 to see what types of rules are in place... Then you can always try random weird protocols like a different vlan header on the packet or something... ettercapNG would allow this to work with some mods. Maybe you should try accessing the switch/router that is inbetween the lans... that is what I would try first... determine device type and version, research the heck outta it, and see what you come up with... default password maybe? Then you could setup a 2-way mirroring situation on the switch or router. Anothr little trick I've had to do is configure a dhcp or bootp server on a nix box and then turn off and on the power of the building to reboot the device. Usually for the first few seconds of the reboot it will allow things to happen which usually don't. But if you configure the dhcp or bootp correctly, your in. Like maybe for the first 5 minutes after a reboot, access to a builtin webserver for remote configuration will be running. If so you can then learn the type and version, then find ways to breach with this info. No switch or router can stop you.. infinite ways to attack this..
If you have unix flavor try messing around with the following programs.. arp, route, ifconfig, vconfig, arping, rarp. If arp doesn't go through youcould try and imitate the gateway that is allowed to send arp, and then try again. arping might be especially useful to you.
#sends an arp reply to dest_ip from source_ip from interface eth0 $ arping -A -I eth0 <--potential to create a virtual device and specify here -s source_ip dest_ip
Also might want to check out the tools traceroute firewalk, and especially sing
but by doing that does it actually help on poisoning an arp? just to bring up a new question. Is it possible to get in a LAN through IP spoofing or any method else? I really dont know anything about networking sorry
I think he mean arp poisoning to sniff data and i dont think he can sniff from a outside network through arp (MAC spoofing) packets i agree, arp is level 2 osi. he wants to arp poison on the inet wich is level 3. cant be done.
No, if you want to sniff data from inside a network not your own, you would have to breach the firewall first, routers and switches cannot stop you. They just aren't smart enough yet. So if you can get past the gatre, its all fin over. Breach a node on the inside of the network first, you can try different ways to do this. As far as IP spoofing to get in, yes thats very possible. You could pretend to be a windows update server, a time server, or any number of default services hosts usually have signed up for. Then you would be allowwed to set up a session with a node on the inside network. This would also allow you to map out the topology. You could also whois the ip and find out the dns servers for that ip. Try spoofing all of them as some might not be active but still allowed to access the network throgh standard configuration on the nodes or gateway. So you could spoof a message from the dns server to the target basically telling it that a website is at X. You are X. Then you might get lucky and have that one spoofed message allow you access past the firewall because now your X ip is in the memory. As far as spoofing something else, it would have to be someting that the network already is configured to allow in. So try mapping out the access lists configured for the gate. Many methods to do this, all methods should be used together. Say you spoofed the dns server ip, and inside that packet you changed the mac for the dns server, depending on the type of protection, this could be enough to allow you in on port 53, but its unlikely, once you find out whats allowed IN, then you can try tons of stuff to elicit the responses you are looking for. You could also try breaching the dns servers themselves and then using a phish type attack on the nodes to do whatever the fuk you want. I don't understand what you purpose is. Why do you want to do something as minor as poison the arp? Then I could giv eyou much more specific answers.. In the meantime, research firewalk, traceroute, sing, isic, and hping3 all as means to an end.
I think he mean arp poisoning to sniff data and i dont think he can sniff from a outside network through arp (MAC spoofing) packets i agree, arp is level 2 osi. he wants to arp poison on the inet wich is level 3. cant be done. *
Hence the mention of double encapsulation. the only tricky part is getting it to double-encapsulate itself right back. the gate wont allow arps to leave. I was thinking he was on the same network, just a different segment separated by a measly router or switch.
My main purpose is just to extend my knowledge on packet crafting really, I was able to understand packet sniffing, arp spoofing and dns routing etc. Just by using cain, ethereal and a couple of tutorials. However I saw an IP spoofing article recently and I was just curious on how to do such attack outside the network. If I make believe that I am this X to enter the network, how do I do that? What kind of packets do I send to blind the network that I am X. And yeah I already am doing hping3, and I saw a couple things with it I saw SYN spoofing as its functions and if i understand things right. I can spoof to send SYN packets to a server making the server believe that this SYN is sent by this IP (w/o DDoSing it). So if I can do such with SYN does that mean that I can also do such with other more kinds of packets? and is this how I can spoof my IP to enter the network?
Hey, thanks for more info.. Ya I personally am in love with hping3. That spoofed syn is WAY cool. There are a lot of articles that you need to read. Make sure you read all the articles that come with hping3. Try downloading the full source of hping2 also. Also check out the hping wiki page. This syn spoof doesn't work for others. It's best used to anonymously (barely) port scan a host. You should also check out the wide spectrum of local attacks.. mac spoofing and arp spoofing are basic, check out and get good at port stealing and other layer 2 attacks. For IP spoofing, this is an advanced technique that few can master. You should first hack(legally) the switches and routers on YOUR network, including your providers network, as these days most of them do not allow spoofed messages to ever leave the network. So you will have to access each device along the path and reconfigure it to allow this. One reason they do this is to deny the DDOS tools from working. Or you could find or setup a better path to the net (this is the preferred way). As for packet crafting.. props for learning about this vital aspect of comp. sec. keep learning about packet crafting. Check out the tools isic and sing... Learn all about OS identification from a remote locale, learn all about ICMP. Also check out firewalk, read all about how it works. Check out ettercapng and read all about that, read about all the plugins, browse through all the source code. Check out fragroute. Check out dsniff. Cain is OK. Mitnick used the IP spoofing attack flawlessly and you should definately read ALL about that. I think the idea first came up in the late 80's. Be sure you are fluent in data communications and networking in general. Know all about the layers of OSI Model especially the lowest ones. If you don't already have an enormous knowledge base of the inner workings of tcp/ip and orther protocols and transmission procedures, you have a longgg way to go before you will be able to successfully use IP spoofing in its purest form. I would also suggest a thorough search of this forum for all related posts on IP spoofing. Also check out the hacker icq channels for more tips. You might also find some cool stuff on sans.org in the reading room. G' luck... keep us posted.
« Apache Compression, Vary, mod_deflateUndetectable Sniffing On Ethernet »
Comments