Results 1 to 3 of 3

Thread: No need for 2 way arp spoofing! (I think.. in most cases..)

  1. #1
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    2

    Default No need for 2 way arp spoofing! (I think.. in most cases..)

    First, I am not sure if this is a bright idea or not (or if it is common knowledge) but I would like to see how it is received..

    So you probably know 2 way arp spoofing can be a bit dangerous because gateways very often have tools in place for detection. This is a problem as there are a lot of things that require a 2 way spoof (as they require both outgoing AND incoming packets). 1 way spoofing only gives you the outgoing packets.

    After testing this idea in my badly written python packet forwarder (and it working) I realized this might be helpful. If, for example, I wanted a 2 way spoof on port 80 I could 1 way arpspoof the victim and forward all packets as normal.. except for on port 80, change the src IP of those packets to my own. I then receive the response packet (because the gateway will send back to the src IP) which I can change back the destination IP and forward it back to the victim (who has no idea).

    example of packets I receive with 1 way arpspoof of victim:
    me: 192.168.0.2
    victim: 192.168.0.3
    gateway: 192.168.0.1

    recv 192.168.0.3 -> 192.168.0.1 = GET (URL here)
    send 192.168.0.2 -> 192.168.0.1 = GET (URL here)
    recv 192.168.0.1 -> 192.168.0.2 = *Web info*
    send 192.168.0.1 -> 192.168.0.3 = *Web info*

    *Web info* can now be edited and read on a 1 way spoof!! (with much less risk of detection)

    This also works for msn (port 1863) to see a 2 way conversation

  2. #2
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    TheRaven nice fined. was it woking reably.
    Could you test it with arpwatch and see if it detects it.

  3. #3
    Just burned his ISO
    Join Date
    Mar 2009
    Posts
    2

    Default

    It was working reliably. The only difference was that the IP was detected incorrectly when websites log it. This is very unlikely to be shown to the victim and even if it does, not many people wouldn't really notice. (Also, to counteract this, just don't use port 80).

    I am not on a closed in network and do not own a gateway to install arpwatch on, but logically, arpwatch only detects "flip-flops" - when 2 MAC addresses try to be the same IP address. This will never occur using 1 way arpspoofing (I am by no means sure of this, can anyone clarify for me?). Naturally the victim would detect it using arpwatch, but I have yet to meet a client using it who is not an admin.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •