Windows 2000 Static arp not static

Dear all,

I am quite new to this. I posted this on bugtraq first, but David Ahmad asked to post it in FOCUS-MS and vuln-dev. So here I go :o)

This is the setup :
1 Windows 2000 Professional (SP3)
1 Linux Slackware (gateway)
1 Debian Linux
1 switch

(The linux distro's doesn't really matter)

When using ethercap on the network from de Debian machine, I was able to see and control all trafic. (nothing new right?) Ethercap is doing this by making the network believe everything should be sent to the MAC-address of the ethercap machine which in my case was the Debian machine.

To prevent this behaviour, I setup static routes both on the gateway and the Windows machine. Yet I didn't get the result I was expecting. I was still able to see packets on the Debian machine, yet I was no longer able to control the packets.

When I looked at the arp cache of Linux, the static entry was there and working (?), but on the Windows machine, THE VALUE OF THE STATIC ARP WAS CHANGED. When ethercap was disabled, the static arp entry was returned to the original value.

Meaning Windows 2000 desktops (and servers?) can always be sniffed even when using a switch. On top of that, your network is probably vulnerable to the man-in-the-middle attacks if you're relying on MS-technology only. I don't know if they are still vulnerable to a man-in-the-middle attack if you're using eg. a Linux router with static routes. My "hacking" knowlege is quite limited. But I can imagine there are people who know how to gain from this "feature".

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If this is a known problem, why hasn't this been fixed. If unknown ... is Microsoft reading this? ;o)
Can some experienced securityadvisors perform more tests on this? eg. Other
(Windows) OSes, other types of attacks.

Hoping this can be usefull

Tim Received on Wed Feb 12 19:05:33 2003