Hello:
> Ok, I'll admit that I don't speak (or read) Spanish, so would someone
> care to interpret the page referenced and give those of us who are
> linguistically challenged the skinny on what flaw in the arp protocol on
> Linux is exploited to get this magic to work?
When someone tell me that i program detect a ethernet card on promiscous
mode i thought it was imposible, neped use a trick on
implementation on arp protocol.
A machine without promiscous mode listen the broadcast MAC adress and his
own MAC address. Then if you send a ARP-request to the
broadcast MAC adress asking for a IP a the machine have this IP then the
machine respond with a ARP-response, telling it owns this IP.
Then... what happend if you send to a non-existent MAC address an
ARP-request of a IP address. The implementation of ARP Linux protocol
made that if the card is not in promiscous mode no one answer but if the
card is in promiscous mode the machine detects that someone is asking for
its IP, and then answer telling it have this ip. Then the neped program,
detect that this machine is on promiscous mode, because
answer a question to a sent to MAC address that not exist.
The neped program works great but:
-What happend if the machine have no ip??
-A malicious hacker could patch this "peculiar" ARP of Linux kernel and
made totaly invisible sniffer. I don't know about the existence of that
patch but i am sure is not difficult to do.
-Does it works with other OSs? I don't know...
Best regards
Damia Soler
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
