I don’t know what Microsoft has changed to the ARP cache behaviour…but
ARP spoofing attacks are still possible!
You can easily reproduce that (you need at least three machines – one could also be a router) -
Download and start Cain
Click “Configure” and select the appropriate network interface
Activate the Sniffer and go to the “Sniffer” Tab
Click the “+” Icon – Cain will now scan the subnet for all attached devices (in my case my laptop with XP SP2 installed and the cisco router which is my default gateway)
Go to the “APR Tab” (ARP Poisoning & Routing)
Click the “+” Icon
Now select the machine(s) which communication you wan to redirect to your machine (in my case i selected the laptop on the left and the router on the right)
That’s it – now all the traffic between the router and the laptop passes my machine (even in a switched network). Cain can recognize and collect various passwords directly from the wire including ftp, http forms auth, telnet, pop3, sql server…you can see the collected passwords on the “Passwords” tab. Those passwords that need cracking can be sent with right-click “send to cracker” to a cracking module (e.g. ntlm, kerberos pre-authentication…).
To get more insight into the packets just fire up ethereal on your machine and you’ll get the full story.
So whatever they did, those SP2 changes don’t increase the protection from these attacks. maybe they make it harder to start an attack from SP2 – and then again this is as stupid as removing raw sockets…
In fact i already saw operating systems with working anti ARP spoofing measures, e.g. the Cisco IOS. If they see a ARP broadcast on the wire where someone pretends to be them they immediately send a bunch of correct ARP packets out on the network.
an excellent explanation of how ARP spoofing works can be found here.
btw – the only protection against ARP spoofing at the moment (on Windows) is to add static ARP entries in the cache, e.g. for your standard gateway with
arp -s IPAddress MACAdress
…but who does that?