Home page logo
/

basics logo Security Basics mailing list archives

Re: ARP Poisoning
From: Matt Hemingway <matt () supplyedge com>
Date: Fri, 8 Nov 2002 10:51:39 -0800

Have you looked at Arpwatch:

http://online.securityfocus.com/tools/142

I use it and am very impressed and thankfull that I have it.  Occasionally 
laptops will still carry the IP address of the home DSL/Cable connection and 
once they connect to our network that will get reported and cause a false 
alarm, better than no alarm.

-Matt

On Friday 08 November 2002 02:31 am, Trevor Cushen wrote:
Hello Michael,

I am looking at that at the moment.  Encryption is the best way to go to
protect against sniffing and there are millions of ways to enable it
around a network in one form or another.

On the other side I am putting together a series of perl scripts and web
front ends to monitor devices on the network because I want to detect
new and unauthorised MAC addresses on my network.

Ettercap has a flag that will detect arp poisoning on the network as
well as a flag for running arp requests across the network.  What I have
done is set this up to test my network at MAC level only.

I gather the results and match it off against a list of my valid mac
addresses etc etc.  A nice colour coded web front end will show red for
unrecognised and online mac addresses.  Green online and recognised etc.
A history option to tell me when machines went online and offline.

This way if any new device is added to my network then I know about it
even if it does spoof the mac address later to sniff only.  This came
about after it was suspected that people could come in with laptops and
copy of files which of course will not trigger any IDS system as it is
valid traffic.

But if a wireless AP was added to the network then I will detect that
too because it will be an unknown MAC address.

I am nearly finished developing this but if anyone knows of a utility
that already does this well then please let me know.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Michael Ungar [mailto:m_ungar () yahoo com]
Sent: 07 November 2002 04:27
To: security-basics () securityfocus com
Subject: ARP Poisoning


From security books I've read it's not hard to
eavesdrop on network communication using tools like
dsniff, even in a switched environment. My
understanding is that it is accomplished quite easily
by ARP poisoning your victim in thinking your
machine's MAC as the router MAC & after interception, re-forwarding the
traffic back to the true router MAC.

Assuming the network environment is large (e.g.,
configuring port switches for specific MAC addresses
not practical) & desktop security cannot be guaranteed
(and thereby cannot prevent people from allowing
machines to IP forward), how can one defend against
other than encrypting data.

Thanks....Mike


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2


***************************************************************************
***********

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

***************************************************************************
***********

-- 
----------
Matt Hemingway
matt.hemingway () pcnalert com
http://www.pcnalert.com
626-585-2788 x136
----------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault