From: Antonio \\\ (khaoticmind@gmail.com)
Date: Mon Jan 07 2008 - 00:34:06 EST
Hey guys,
I've a small virtual lab here (Vmware on top of Kubuntu 7.10 running
one WindowsXP (192.168.4.133) and another kubuntu 7.10 (192.168.4.128)
), and was playing with ARP poisoning.
I was making some experiments sending some arp replies with source
hardware address being FF:FF:FF:FF:FF:FF, and testing the
communication with ping. Everything work as planed: when I poisoned
the virtual Linux box, it would send the ICMP Requests to the right
address (.133) using the broadcast ethernet address. Funny thing was
that Windows was not responding to it.
I tested the opposite case (Windows poisoned, sending requests to .128
at FF:FF:FF:FF:FF:FF) and the Linux box responded to it just fine
(sending the reply to FF:FF:FF:FF:FF:FF)!
I checked the virtual windows box with tcpdump and it is indeed
receiving the packets.
I tested the same scenario trying to telnet to port 135 on Windows
host, with linux poisoned, and got the same results. It appears that
windows will simply drop broadcast ethernet packets that aren't ARP
requests...
I tried looking on the net but couldn't find any docs saying this is
intended behavior. And also why Linux respond to such packets?
Is there any opportunity to an attack to a Linux box running in this
way? There is a way to make Linux behave like windows?
Hope i made myself clear... its 2:30AM and I'm starting to not feel my hands :)
-- KhaoticMind "Things are like they are because that's how they are suposed to be." ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:18 EDT