mailing list archives
arprelay: a tool to edit TCP connections in a LAN
From: felix () CODEBLAU DE (Felix von Leitner)
Date: Sat, 10 Jun 2000 00:42:45 +0200
Dear target audience,
I have recently written a tool called arprelay that will forward IP
packets between to machines on an Ethernet who have each been told that
the MAC address of the other is some random spoofed MAC address.
As far as I know, ARP relaying has until now only been publicized as
method to enable sniffing in switched environments. It can obviously
also be used to rewrite the packets as you forward them.
Since ARP spoofing is a well established technique, you can just use a
tool from someone else for this, arprelay does not do this. I recommend
http://teso.scene.at/releases/arpmitm-0.1.tar.gz for this because it is
small and gets the job done.
You can get arprelay from
arprelay uses libnet and pcap and can edit the payload of the proxied
packets. Since this is just proof-of-concept code, the user interface
is very crude. You tell arprelay the IP and MAC addresses of Alice and
Bob (the two machines whose communication you want to proxy) and the MAC
address you spoofed on both machines.
To change the editing that arprelay does, you have to edit the source
code (change the char* "quelle" and "ziel" in the lines 97 and 98).
arprelay will (well, should) make sure that the TCP checksum stays
valid. Since arprelay does not implement any fragmentation or TCP
details, I chose to focus on single packets. The current code can
neither insert nor delete characters, but that is obviously not an
inherent limitation of this type of attack.
I am planning to write a "proper" version of this tool that will use the
Linux Ethernet tap device to have the kernel do TCP and fragmentation
and spawn an external TCP proxy process for each new TCP connection, but
the error handling is tricky and resource contention is a problem, so I
haven't actually gotten around to do it.
This attack should make clear that SecurID and one time passwords are
worthless unless protected by strong cryptography or separate cabling.
If you haven't noticed yet: yes, this not only works on switched
networks, it works even better than on non-switched environments,
because attacked hosts using tcpdump can not see the duplicate packets.
Felix von Leitner
Code Blau Security Concepts
PS: Since I tested this code using static ARP entries with the wrong
MAC address for testing, the code will not work out of the box if you do
use arpmitm unless you delete the lines 223-236 from t.c.