Security Basics mailing list archives

Re: ARP Poisoning

From: ATD <simon () snosoft com>
Date: 08 Nov 2002 16:16:28 -0500

Well,
        One easy way to ID this is to monitor for the ARP broadcast, or check
for hosts doing this broadcast.   For example...  when using ettercap
(one of those nice arp tools) ot does:

Building host list for netmask 255.255.255.0, please wait...
Sending 7 ARP request...  <--- You can detect this.

Another thing that you can do is to run checks for other systems doing
arp poisoning, ettercap offers this feature as well:

[cC]      - check for other poisoner...   

So, one way to defend against this sniffing is to check for these
poisoners every X minutes and notify the admin IF such a thing happens. 


[Cerebrum Gateway] 
<gawd># ettercap -c -N

ettercap 0.6.7 (c) 2002 ALoR & NaGA

Your IP: xxx.xxx.xxx.xxx with MAC: 00:10:4B:C8:2A:4E on Iface: de0
Building host list for netmask 255.255.255.0, please wait...

Sending 7 ARP request...

* |==================================================>| 100.00 %

Resolving 5 hostnames...

* |==================================================>| 100.00 %


Checking for poisoners...

 MAC of xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx are identical !  

you got a poisoner!!!  =o)












On Wed, 2002-11-06 at 23:27, Michael Ungar wrote:

From security books I've read it's not hard to

eavesdrop on network communication using tools like
dsniff, even in a switched environment. My
understanding is that it is accomplished quite easily
by ARP poisoning your victim in thinking your
machine's MAC as the router MAC & after interception,
re-forwarding the traffic back to the true router MAC.

Assuming the network environment is large (e.g.,
configuring port switches for specific MAC addresses
not practical) & desktop security cannot be guaranteed
(and thereby cannot prevent people from allowing
machines to IP forward), how can one defend against
other than encrypting data.

Thanks....Mike


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

-- 

-ATD-

http://www.snosoft.com
-------------------------------------------------------------
Secure Network Operations |     Strategic Reconnaissance Team
Cerebrum Project          |     cerebrum () snosoft com
-------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

ARP Poisoning Michael Ungar (Nov 07)
- Re: ARP Poisoning Matt Hemingway (Nov 08)
- Re: ARP Poisoning ATD (Nov 09)
- <Possible follow-ups>
- Re: ARP Poisoning brien mac (Nov 08)
- RE: ARP Poisoning Trevor Cushen (Nov 08)
  - Re: ARP Poisoning Jeff Dickison (Nov 09)
  - Re: ARP Poisoning Matt Hemingway (Nov 09)
- RE: Arp Poisoning anyluser (Nov 09)