ARP Spoofing and XP SP2

I don’t know what Microsoft has changed to the ARP cache behaviour…but

ARP spoofing attacks are still possible!

You can easily reproduce that (you need at least three machines – one could also be a router) –

  • Download and start Cain
  • Click “Configure” and select the appropriate network interface
  • Activate the Sniffer and go to the “Sniffer” Tab
  • Click the “+” Icon – Cain will now scan the subnet for all attached devices (in my case my laptop with XP SP2 installed and the cisco router which is my default gateway)
  • Go to the “APR Tab” (ARP Poisoning & Routing)
  • Click the “+” Icon
  • Now select the machine(s) which communication you wan to redirect to your machine (in my case i selected the laptop on the left and the router on the right)
  • Activate APR

That’s it – now all the traffic between the router and the laptop passes my machine (even in a switched network). Cain can recognize and collect various passwords directly from the wire including ftp, http forms auth, telnet, pop3, sql server…you can see the collected passwords on the “Passwords” tab. Those passwords that need cracking can be sent with right-click “send to cracker” to a cracking module (e.g. ntlm, kerberos pre-authentication…).

To get more insight into the packets just fire up ethereal on your machine and you’ll get the full story.

So whatever they did, those SP2 changes don’t increase the protection from these attacks. maybe they make it harder to start an attack from SP2 – and then again this is as stupid as removing raw sockets…
In fact i already saw operating systems with working anti ARP spoofing measures, e.g. the Cisco IOS. If they see a ARP broadcast on the wire where someone pretends to be them they immediately send a bunch of correct ARP packets out on the network.

an excellent explanation of how ARP spoofing works can be found here.

btw – the only protection against ARP spoofing at the moment (on Windows) is to add static ARP entries in the cache, e.g. for your standard gateway with

arp -s IPAddress MACAdress

…but who does that?


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s