Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Hijack IP Address using cable modem
From: Patrick Maartense <patrick () MAARTENSE COM>
Date: Wed, 28 Mar 2001 22:28:51 +0200
No Even worse

HAcker from an other system somewhere in the internet does
1) iptraf for ARP

nmap target-network1-254 -p 21

does that nearby network bring ARPS for that range?

yes ?

Great:
ifconfig eth0:0-254 that range netmask 255.255.255.0

nmap target-network1-254 -p 21


Now the outbound interface REPLIES to those ARPS...
and is granted these additional ipadresses.

lets say my normal ipaddress is 195.202.128.158
on that PHYSICAL segment the ISP also assigne Class c for
62.80.123.0/28
62.80.124.0/28
62.80.125.0/28
195.202.128.0/28
195.202.129.0/28
195.202.130.0/28


Now it is 4 am in the morning, Joe and Jan Doe are in bed and have tunred of
their Computer

I dail in with my isdn modem from my notebook to my cost-by call isp
do pingsweep 62.80.123.0. 124.0, 125.0

see all those ARPS for the ips not know by the router ( for the last 20,30 mins)

configure my Cable Modem Box to have that COMPLETE class C on his iface

make the same pingsweep again
and now my box replies to these requests.
now i have these IP's

as i have leased 16 Addresses from that ISP i mode a proff of concept
using 2.4.2 kernel i configured my firewall to forward ALL request for port 80 (
except for my 16 addresses) AND ports 2000- 64k to my webserver port 8080
on that port i had a very nice welcome message that the ISP had misconfigured
their router. and the hotline number

I used that with one class C, called the to inform them with a kind reply to
reconfigure their network


got a NoNo..

informed local press and BugTraq...

If I can do that, everyone can..



Patrick Patterson wrote:


-----BEGIN PGP SIGNED MESSAGE-----

I think I see where Patrick was coming from with this:

Victim turns on his computer, and gets an IP address
Cracker, while sniffing the Cable segment notices that IP adress foo is
assigned to MAC bar
Cracker changes his own MAC address to bar, and brings up IP address foo on
this new MAC address (some Ethernet cards have overwritable MAC addresses)
Since both Cracker and Victim have the same MAC, Cracker get's all packets
for Victims computer, and is able to impersonate victim.

This is just a slightly more sophisticated IP Address Spoofing attack.... and
I don't think it will work...


From what I know of Cablemodem networks, there are actually several parts.


1: The cable network - the 'Modem' talks to the Cable Company terminal
equipment and ensures that you are a valid subscriber.
2: The IP Network - the routers keep track of which IP and MAC, is on which
Cable Modem - thus making this attack unlikely to succeed....

I haven't tested this, and might be horribly wrong, but I don't think so -
this is one of those things that looks better in theory than in practice - Is
anyone from @HOME or ATT around to confirm/deny what's I've written?

On Wednesday 28 March 2001 09:09, Nick Summy wrote:

Now I hardly know anything about this subject, so correct me If im wrong,
but I have a few questions.


<SNIP>

- --

Patrick Patterson                       Tel: +1 514 485-0789
President, Chief Security Architect     Fax: +1 514 485-4737
Carillon Information Security Inc.      E-Mail: ppatterson () carillonis com

- ----------------- The New Sound of Network Security -----------------
                  <<  http://www.carillonis.com  >>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]