From: Felix von Leitner [felix@CODEBLAU.DE] Sent: Friday, June 09, 2000 6:43 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: arprelay: a tool to edit TCP connections in a LAN Dear target audience, I have recently written a tool called arprelay that will forward IP packets between to machines on an Ethernet who have each been told that the MAC address of the other is some random spoofed MAC address. As far as I know, ARP relaying has until now only been publicized as method to enable sniffing in switched environments. It can obviously also be used to rewrite the packets as you forward them. Since ARP spoofing is a well established technique, you can just use a tool from someone else for this, arprelay does not do this. I recommend http://teso.scene.at/releases/arpmitm-0.1.tar.gz for this because it is small and gets the job done. You can get arprelay from http://www.fefe.de/arprelay/arprelay.tar.gz arprelay uses libnet and pcap and can edit the payload of the proxied packets. Since this is just proof-of-concept code, the user interface is very crude. You tell arprelay the IP and MAC addresses of Alice and Bob (the two machines whose communication you want to proxy) and the MAC address you spoofed on both machines. To change the editing that arprelay does, you have to edit the source code (change the char* "quelle" and "ziel" in the lines 97 and 98). arprelay will (well, should) make sure that the TCP checksum stays valid. Since arprelay does not implement any fragmentation or TCP details, I chose to focus on single packets. The current code can neither insert nor delete characters, but that is obviously not an inherent limitation of this type of attack. I am planning to write a "proper" version of this tool that will use the Linux Ethernet tap device to have the kernel do TCP and fragmentation and spawn an external TCP proxy process for each new TCP connection, but the error handling is tricky and resource contention is a problem, so I haven't actually gotten around to do it. This attack should make clear that SecurID and one time passwords are worthless unless protected by strong cryptography or separate cabling. If you haven't noticed yet: yes, this not only works on switched networks, it works even better than on non-switched environments, because attacked hosts using tcpdump can not see the duplicate packets. Felix von Leitner Code Blau Security Concepts PS: Since I tested this code using static ARP entries with the wrong MAC address for testing, the code will not work out of the box if you do use arpmitm unless you delete the lines 223-236 from t.c.