CS38, Security and Privacy, Spring 2005

ARP spoofing and switch exploitation tools and explanations

• ARP-SK: ARP spoofing, testing and attack tool,
  http://sid.rstack.org/arp-sk/  [local www.arp-sk.org/]
  This site offers an explanation of the ARP protocol and its implications for network layer 2 attacks. This is the home of the arp-sk tool that injects custom-made ARP packets into the network. Checking the impact of an ARP attack is one of the primary steps of a defensive network analysis.

• Dsniff, Dug Song
  http://www.monkey.org/~dugsong/dsniff/  [local dsniff-2.3.tar.gz]
  One of the most influential network interception toolkits. Includes the arpspoof tool (see above about ARP spoofing), dnssppoof and various interesting MITM attacks, including attacks on SSH and HTTPS.

• 10 papers on ARP manipulation,
  http://l0t3k.org/security/docs/arp/en/
  

• Taranis [causes switches to redirect ethernet traffic],
  http://www.l0t3k.net/biblio/magazine/en/phrack/0057/p57-0x06.txt
  This attack depends on a certain switch behavior. A couple of insightful (despite being in bad taste) comments discuss the traces left by this attack.

• Layer2 Attacks and their mitigation, Louis Senecal (Cisco)
  http://www.cisco.com/ca/events/pdfs/L2-security-Bootcamp-final.pdf  [local L2-security-Bootcamp-final.pdf]
  Summary of the above layer 2 attacks and VLAN hopping. Details on CAM tables and other switch architecture and configs.

• SSLSniff, a MITM attack against IE SSL implementation using ARP spoofing,
  http://www.thoughtcrime.org/ie.html  [local www.thoughtcrime.org/]
  

• Simple ARP spoofing tools: ,
  
   [http://packetstormsecurity.org/UNIX/misc/ARP0c2.c]
  

DHCP weaknesses

• DHCP flaws, Steven Jones
  http://www.networkpenetration.com/dhcp_flaws.html  [local dhcp_flaws.html]  [local Gobbler-2.0.1-Alpha1.tar.gz]
  This short paper describes the basis for attacks implemented with the Gobbler tool.

IP spoofing, DNS hijacking

• DNS Spoofing techniques,
  http://www.securesphere.net/download/papers/dnsspoof.htm
  A simple intro into DNS spoofing.

• DNS ID Hacking , The ADM crew
  http://packetstormsecurity.nl/groups/ADM/ADM-DNS-SPOOF/ADMID.txt  [local ADMID.txt]  [local ADMid-pkg.tgz]
  

IP spoofing, TCP session hijacking

• Session hijacking demonstration and notes, Dave Dittrich
  http://staff.washington.edu/dittrich/talks/qsm-sec/hijack.html
   [arp_fun.txt]  [IP-spoof-1.txt]  [IP-spoof-2.txt]  [iphijack.txt]
   [http://staff.washington.edu/dittrich/papers/arp_fun.txt]  [http://staff.washington.edu/dittrich/papers/IP-spoof-1.txt]  [http://staff.washington.edu/dittrich/papers/IP-spoof-2.txt]
  Links to fundamnetal papers on the subject, a couple of tutorials and also tools. Nice and comprehensive. Follow the links (the hunt link is broken, the page seems to be gone, get local copy below).

• Hunt, an advanced session hijacking tool, Pavel Krauz
  
   [hunt-1.5.tgz]  [hunt-1.5bin.tgz]  [hunt-1.4.tgz]  [hunt-1.4bin.tgz]
  

The RFCs

The RFC is your best source for understanding protocol details. Textbooks tend to gloss over details and typically unused features, but the RFCs are there to *describe* the implementation-level details. Of course, they are not always followed by vendors -- and some vendors break them on purpose (guess why? Argh.)

A protocol is usually defined by one fundamental RFC, and complemented by several others. Sometimes the fundamental RFC is seriously rewritten so that the result gets a new number and "obsoletes" the older one. Packet geeks usually remember and quote fundamental RFCs by number, such as "RFC 791" (IP), "RFC 793" (TCP) "RFC 1042" (IP over Ethernet) etc.

• networksorcery.com RFC and protocol reference,
  http://www.networksorcery.com/enp/default0701.htm
  Protocol definitions, layouts of headers (cross-referenced with additional RFCs defining the extra elements). Very useful. This is a great resource for interpreting obscure protocol packets captured by Ethereal etc. This index is arranged by protocol name rather than RFCs, which is doubly useful.

• Collection of plain RFCs,
  http://www.faqs.org/rfcs/
  All plain text, easy URLs to guess, try googling it with "site:faqs.org" for specific things.

Back to Dartmouth CS Home Page