arp (adress resolution protocol)

[hakgipc]

hello hak.5 and hacklings

in episode 3 harrison and darren tells us how to arp a computer on lan

but my question is can you arp attack outside your lan (on a external ip)

regars gamerx

[Sparda]

no

[hakgipc]

ive heard of something called proxyarp google it and see for urself

i think it can be done with it

[Sparda]

You can't ARP poison the Internet. Thats all there is too it. Would you like me to explin why (it's alot of writing)?

[stingwray]

You'll cause lots of problems, you'll have to find out their gateway so you don't cause them to loose the internet.

Then your likely to cause a DoS on that person because your connection is going to be slow.

You'll likely bring the whole internet down because you'll be messing with the infrastructure.

We'll all come round and beat the crap out of you.

[VaKo]

Go for it Sparda.

Long story short: You would need to ARP posion *A LOT* of routering equipment to do this, and if you managed to do it, you would be a richer man than any of us.

[Sparda]

You would need to ARP posion *A LOT* of routering equipment to do this

Not that you can ARP poison routers any way. Basicly, you can only ARP poison a switch. A switch is the only device that you can ARP poision. Routers (which are what make up the internet) cannot be ARP poisoned.

[VaKo]

My mistake, change that to switching equipment (its been a long week in a tent).

But still, do the full right up, i'm intersted.

[Sparda]

Don't count this as arrogent or any thing like that, but I want to make it clear that swithes do not make up the Internet, they may link ronters internaly with in an ISP (whcih is quite rare, ISPs offten user internal routers instwed of switches to link routers together). This doesn't mean you can ARP poison that switch, any and all ARP broadcasts are dropped by all routers. So even if you did send a ARP request out on to the internet, it would get dropped as soon as it hit the first router, and you can't avoid routers on the Internet (let me just make that clear as well). Routers are the Internet (basicly).

[VaKo]

Not arrogant at all, I was wrong.

So to ARP posion someone on the internet, your best bet is to get access to there internal network and posion from there, then point the traffic back towards you as some kinda raw text feed to study it?

[Sparda]

Nah, that won't work either VaKo. It's imposible to ARP poision the Internet. The answer to the question "Can I ARP poinsion over the Internet?" and the method you surgest relies on an ARP poisoning working, the answer will always be "No". The only realistic posible way of intercepting every packet sent and recived is if you add another device physicly onto the network, and that duplicates every packet that goes though it and then sends it to you either directly (i.e. you have to have a listening server for all the information) or it saves it then (for example) emails it to you. But this will not work very well as it would mean more then doubling the load on the victims internet connection. Unless of course you had it send all the duplicate packets when the internet connection was idle.

[VaKo]

No, no, I mean, you gain access to a box on the same LAN as the target, ie pwn it. Then run your arp posioning app of choice remotely on that box. Then record the packets and send them over the net to you.

IE:

I hack one of your boxes on the same lan as your main PC, and gain access to it remotely. I then run the arp posioning, which routes your traffic threw that box on its way to the WAN/the rest of the LAN. This is still inside your own local network. I then take the traffic your creating, and send it to myself via the internet in a series of compressed text files similar to the ethereal logs you can save for later study. That way the ARP posioning is done locally at your end, but I can still get the traffic. Cludgey, but it would work.

[Sparda]

ok, that method does work (Although you are not ARP poisoning the internet). Thats prety much the same as the physical listening device, with the only diffrance is that you don't need physical access. It would be prety hard to do though considering they will probably be running windows. You would hve to get winPcap installed with out them noticing. Then Wireshark... certialy less practical, but at least you don't need physical access. ;)

[VaKo]

how about a virtual machine styley rootkit thats scripted to do it as automatically as possible? If they have a machine on 24/7, you could set it to upload the files early in the morning so its harder to detect. Might just be quicker to hack the router to do it though.

I admit that at this stage it might be easyer to get on a plane, fly to there house, break in and hide behind there desk, but the logic holds in my head.

[Sparda]

A rootkit (like sonys DRM rootkit) could hide all the software you put on to do the arp poisoning and packet logging. That would probably be the best bet. I suppose you could rewrite the windwows IP stack to have the kind of ARP poisoning and packaet logging functionality you want (Thus making it harder to detect). But that would be insainly complex. I have no dought that a person could go insain just trying to code some thing like that. :P

[VaKo]

So to summerize hakgipc, your best bet is to get a plane ticket, some kinda mask and a crowbar. Or get started on a rootkit.

[tx]

If you gained remote access to a gateway router on your victims lan (accross the internet.) Then you could pretty much do the same to that lan as a local ARP poision using GRE tunnels, providing you have enough bandwidt at your end to act as their lan gateway for a short time ;) but for reasons thease chaps have explained, thats about as near to 'poisoning the internet' your gonna come.

Just my 10p :)

-Tx

[Sparda]

I have had zero success creating a VPN between my router and a friends router. So as far as I can tell setting up a VPN between routers over the Interent is extremly difficult (perhaps I'm wrong).

Reasons why changing the NAT routers default gateway will not work (for thoughs who thought this might work): Firstly, it's common the routers will only use the default gateway specified by the PPPoE or PPPoA server. Secondly, it's often the case that the connection from the NAT router to the first router on the internet is a sort of LAN. So if you set your NAT routers default gateway to another IP address all packet transmition will fail becasue it has to be sent to the first router befor it can go any where else on the Internet.

[tx]

Im not saying change the NAT gateway, im saying insert two interfaces into the routers conf just before the final 'OUT' and modify routing tables to pass through those first.

Depends on the routers in question. If you can create pretty much a virtual interface or two, use GRE (or vpn tunneling whatever) to get two endpoints to YOUR sniffing router, and then modify the routing tables on your router and their router to pass through that tunnel and back again, should work fine... Obiously theres bandwidth implications.

Also, what VPN software were you trying to use. My VPN success rate sucked soo much untill i started to use openVPN.

[stingwray]

Wouldn't it be simpler just to have their gateway mirror all the traffic from their connection to yours if we are going along the route of hacking everything in site to make something pointless work.

[tx]

Actually hadnt thaught of that!

However, come to think of it, you may want to be physically MITM, just having everything replayed to you wouldnt help you if it was SSL traffic and you needed to present a fake cert.

[Guest]

or you could just drop a keylogger onto the system and not have to worry about changing all this packet info to get everything to work, the only thing you will have to worry about is any a-v on the system.

[Darren Kitchen]

Keep in mind that this rootkit or trojan idea is not ARP Cache Poisoning. It's not even realtime. I'm not sure what you would gain from it that couldn't be achieved from much simpler methods.

I get this question in my inbox a lot and it's hard to keep myself from replying with something about AOL 3.0, trumpets, a bucket of grease, the "Internet Police" and S.L.I.P.

[Sparda]

I get this question in my inbox a lot and it's hard to keep myself from replying with something about AOL 3.0, trumpets, a bucket of grease, the "Internet Police" and S.L.I.P.

You mention all thoughs but not the RIAA or MPAA?! :P

[tx]

Was just saying, thats a way it could be done, but still... a lot of effort :P