0

I'm using a somewhat weird setup which (so I would think) allows me to connect to the subnet while spoofing my IP and MAC (in test environment, doing cyber security college ^^). However, the router does not seem to route any of my requests and I do not understand why.

I'm using this as a guide: https://www.defcon.org/images/defcon-19/dc-19-presentations/Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf

My setup is as follows:

Ip: 169.254.66.66

route options:
Destination    Gateway        Genmask      Flags 
0.0.0.0        169.254.66.1   0.0.0.0      UG
169.254.0.0    0.0.0.0        255.255.0.0  U

Arp options:
Address        HWType    HWAddress            Flags
169.254.66.1   ether     xx:xx:xx:xx:xx:xx    CM

And then there are some iptables and ebtables rules to rewrite to IP and MAC of outgoing requests (these cannot be the problem I suppose, they have worked for weeks now) But they look something like this:

target   prot    source           destination    
SNAT     icmp    169.254.66.66    anywhere       to:some_legit_ip_from_subnet

With this setup I am able to ping the default gateway (or whatever harware address is in the arp table), but the gateway does not route my requests any further on the subnet. To make things weirder, it does route my requests to the internet. So I'm able to ping 8.8.8.8 for example just fine, but no ips from the subnet.

I do not know if this is clear. Please ask if it is not.

Thank you for your time!

Improve this question
8
  • So are you asking about packets to hosts within the same subnet, or about hosts in other subnets? Routers are normally not involved in the former.
    – grawity_u1686
    Commented Apr 19, 2019 at 10:01
  • It's about packets to hosts in the same subnet. For example: I have default gateway 192.168.0.1. I spoof 192.168.0.100, then I would expect to be able to ping 192.168.0.99. In this case, my arp table would contain the default gateway's MAC address
    – CookieAndPizza
    Commented Apr 19, 2019 at 10:08
  • The default gateway is irrelevant, because by definition hosts in the same subnet can communicate directly; so the ARP table would contain the MAC address of 192.168.0.99 itself (and .99's ARP table would contain your spoofed MAC address).
    – grawity_u1686
    Commented Apr 19, 2019 at 10:10
  • That would be the normal scenario, I agree. But I expected the default gateway to route packets within the same subnet as well. I realize this would mean that all my packets (even when sent to same subnet) will be routed to the gateway and only then to the target. Is my expectation wrong?
    – CookieAndPizza
    Commented Apr 19, 2019 at 10:13
  • I guess that's a reasonable expectation (and is done in "port isolation" situations), but I'm not sure whether it's generally guaranteed that a gateway will do so by default. (Have you tried the same without any spoofing; just by configuring routes to force usage of a gateway?) Also I strongly suspect that part of the problem is your usage of 169.254.0.0/16 address range, which has been reserved for "link-local" usage and routers are generally forbidden from forwarding it, which might include even forwarding back to the same link...
    – grawity_u1686
    Commented Apr 19, 2019 at 10:17

1 Answer 1

Reset to default
1

Thanks to grawity I have come to a solution. There where two problems which caused the problem. First: A gateway does not by default route traffic to the internal subnet. Second: When using another IP than the subnet you send requests to, the ARP table does update not automatically, which causes the requests to neighbors to fail.

So the solution: Assign an IP within the subnet of the gateway and let the ARP update itself OR manually update the ARP table.

Thank you grawity!

EDIT: Testing shows that the solution is a combination of both. Don't know if this is always the case, but in mine my switch and router do not respond to ARP requests. This means those MACs have to be added manually.

EDIT2: More testing shows this is a partial solution if you want to be able to access both the internal network and external network. If an external IP starts with the same number as your subnet, it will try to ARP it instead of reach it trough gateway.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .