|
|
Author : Ph03n1X=0D
Email : king_purba@yahoo.co.uk=0D
Site : http://kandangjamur.net/=0D
Severity : Moderate=0D
=0D
IGNORING SSH CONNECTION USES ARP CACHE POISSONING=0D
=0D
We know that tcp connection will close by sending RST flag.=0D
I try to connect to my openssh server on =0D
slackware 10 from my computer fedora core 4. Then using an =0D
openbsd 3.7, that had same network with slackware n fedora, =0D
try to overwrite ARP cache on my fedora core 4. After arp =0D
cache has been overwriten, all packet from fedora core 4 =0D
to slackware 10 is ignored. May be this problem is not only =0D
on ssh but on other tcp protocol.=0D
=0D
Exploitation :=0D
=0D
1. OpenSSH on slackware has IP 172.16.11.235 and MAC 00:80:48:EB:50:F2=0D
2. Client using Fedora has IP 172.16.11.103 and MAC 00:00:21:27:12:1F=0D
3. Attacker using OpenBSD has IP 172.16.11.234 and MAC 00:c0:26:6f:3a:1a=0D
4. Now, login ssh from 172.16.11.103 to 172.16.11.235=0D
=0D
Before exploitation you can use shell command on 172.16.11.235=0D
as you wish and also you can manage 172.16.11.235 from 172.16.11.103.=0D
=0D
5. ARP cache on 172.16.11.103 before overwriting=0D
=0D
fc4-$arp -na=0D
? (172.16.11.235) at 00:80:48:EB:50:F2 [ether] on eth0=0D
? (172.16.11.1) at 00:11:BB:74:DA:00 [ether] on eth0=0D
=0D
6. Overwriting ARP cache on 172.16.11.103 from 172.16.11.234 using nemesis and simple bash script=0D
=0D
=0D
#!/bin/sh=0D
if [ -z "$5" ]=0D
#=0D
# Script ini akan mengatakan bahwa IP server ada di MAC xxxx=0D
# Sehingga client tidak menghubungi server melainkan xxxx=0D
#=0D
=0D
then=0D
echo=0D
echo "Usage : $0