Been playing alot with Cain and Abel recently and after realising how powerful this tool is for sniffing traffic I want to now focus on counter measures against an attack this tool can perform - ARP poisoning. So can anyone recommend the best tools / techniques to protect against this?
EDIT: Just found this is already been covered on GovSec in the past. Im currently reading this paper that was recommended: http://www.cs.sjsu.e...ilky_report.pdf
However, i would like to hear from peoples experience on protecting against ARP poisoning and tools they have used.
Thanks
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Protection Against Arp Poisoning...
Started by
kbnet
, Mar 16 2005 04:46 AM
-
This topic is locked
17 replies to this topic
#2
SyS49152
-
- Sergeant Major
-
- 171 posts
Corporal
Posted 16 March 2005 - 06:36 AM
quite simple ..
check the mac address of the most juicy host in your subnet (i.e. gateway , domain controller)
then arp -a on your pc ..
if there are differences you are poisoned ..
check the mac address of the most juicy host in your subnet (i.e. gateway , domain controller)
then arp -a on your pc ..
if there are differences you are poisoned ..
#3
kbnet
-
- Sergeant Major
-
- 800 posts
Master Sergeant
Posted 16 March 2005 - 06:56 AM
Could do with a tool watching in real time. Just been reading the dsniff manual, l0pht's antisniff is mentioned so going to give that a try in a bit.
#4
Terminal
-
- Sergeant Major
-
- 536 posts
Sergeant First Class
Posted 16 March 2005 - 07:12 AM
There are good tools like Arpwatch around . One of the ways is to enter static mac address entries so ur computer doesnt broadcast arp request but still other routers can be poisoned and u are still in half water . Use outpost firewall it has a plugin to block mac address so u can block all those unneeded hosts also sygate keeps a good watch on arp . But still arp is very much exploitable . U can kick anyone out of network no matter what they use . There are techniques to stop like Port security on switches ,etc.
Btw did u note with cain u can sniff only hashes of yahoo mail and no plaintext on lan even if u arent using secure login . Gmail sends plain text HOTMAIL sends plain text out and most others do . But yahoo hashes b4r sending maybe md5 i think . Only thing i like bat yahoo
Btw did u note with cain u can sniff only hashes of yahoo mail and no plaintext on lan even if u arent using secure login . Gmail sends plain text HOTMAIL sends plain text out and most others do . But yahoo hashes b4r sending maybe md5 i think . Only thing i like bat yahoo
#5
belgther
-
- Sergeant Major
-
- 650 posts
Sergeant First Class
Posted 16 March 2005 - 07:29 AM
static ARP tables can solve the solution of ARP Poisoning, thus disabling ARP protocol which prevents ARP Poisoning, too. The packets can be blocked by personal & router firewalls. Fancy, but possible...
"The wisest one is the one who knows himself/herself." Quote of the life
belgther... aka... belgther
belgther... aka... belgther
#6
SyS49152
-
- Sergeant Major
-
- 171 posts
Corporal
Posted 16 March 2005 - 07:44 AM
Terminal ..
about yahoo you are right the pass is double MD5 hashed plus a challenge that changes
at any new connection ..
about yahoo you are right the pass is double MD5 hashed plus a challenge that changes
at any new connection ..
#7
kbnet
-
- Sergeant Major
-
- 800 posts
Master Sergeant
Posted 16 March 2005 - 07:51 AM
Yeah, ive noticed most sites send passwords out in plain text. Been catching quite alot of traffic from the lan (its used by another 3 people) and noticed a few sites will send out MD5 hash. If i want to get an account from a user I just get them to run a script which steals key3.db and signons.txt. Suppose if i had the MD5 rainbow tables it would make life easier.
#8
Pro21
-
- Members
-
- 230 posts
Sergeant
Posted 17 March 2005 - 09:45 AM
static ARP tables can solve the solution of ARP Poisoning, thus disabling ARP protocol which prevents ARP Poisoning, too. The packets can be blocked by personal & router firewalls. Fancy, but possible...
Yes but if you have a windows network, it s noticed with arp-sk it is possible to modify static ARP tables.
I think the best solution is to use ssl or vpn or anything like that to secure data from the network. And it s the easier solution than filter all MAC adress. It use more ressources I think ...
#9
skydance
-
- Members
-
- 176 posts
Corporal
Posted 11 July 2005 - 02:27 PM
im usign XArp to detect ARP poisoning attacks: hxxp://www.chrismc.de/developing/xarp/
#10
Warlord_David
-
- Members
-
- 154 posts
Corporal
Posted 11 July 2005 - 08:56 PM
you can also spoof your address to hide where the attacks are coming from.
#11
packet
-
- Sergeant Major
-
- 649 posts
Specialist
Posted 12 July 2005 - 04:38 PM
Static ARP tables are great on all the devices you can control easily like routers and firewalls but getting them out to all clients and keeping them up to date can be a challenge. So hardware changes can be a much bigger deal when you need to replace that interface card.
If you don't hit the clients then dsnif for C&A can fool clients into thinking they are the gateway still and get lots of juicy info. I wonder if there is a way to do this with DHCP, send out the default GW and the MAC of that GW. But the GW is not the only thing worth protecting all servers and resources would be nice to protect too.
BTW, arpwatch is great for keeping an eye on this but when someone does start futzing it become almost too noisy with e-mails and log messages, you have to dial down the settings to make sure it doesn't flood out too much crap.
--P>G>>
If you don't hit the clients then dsnif for C&A can fool clients into thinking they are the gateway still and get lots of juicy info. I wonder if there is a way to do this with DHCP, send out the default GW and the MAC of that GW. But the GW is not the only thing worth protecting all servers and resources would be nice to protect too.
BTW, arpwatch is great for keeping an eye on this but when someone does start futzing it become almost too noisy with e-mails and log messages, you have to dial down the settings to make sure it doesn't flood out too much crap.
--P>G>>
Abusus non tolit usum
The gopher is back!
The gopher is back!
#12
nolimit
-
- Members
-
- 387 posts
Staff Sergeant
Posted 12 July 2005 - 05:11 PM
a fine tuned IDS system is probably your best route
#13
pita
-
- Members
-
- 153 posts
Corporal
Posted 12 July 2005 - 06:55 PM
if u use ipsec in the network, all connections will be encrypted so even if you poison u will see nothing.
but this will solve the probleme of a man in the middle that is waiting for things like passwords in clear text but i'm not sure this will also help for the smart spoofing attack.
but maybe anyone had test this before?
but this will solve the probleme of a man in the middle that is waiting for things like passwords in clear text but i'm not sure this will also help for the smart spoofing attack.
but maybe anyone had test this before?
#14
packet
-
- Sergeant Major
-
- 649 posts
Specialist
Posted 12 July 2005 - 07:14 PM
But use IPSEC everywhere in the network? All clients to all servers? I know MS was trying something like that but I know they weren't ready to actually turn on encryption, just tunnels at this point.
But IPSEC could still be disrupted in any case as you could redirect traffic through you, and if any new man in the middle attacks come out then you would be sitting in the right place.
--P>G>>
But IPSEC could still be disrupted in any case as you could redirect traffic through you, and if any new man in the middle attacks come out then you would be sitting in the right place.
--P>G>>
Abusus non tolit usum
The gopher is back!
The gopher is back!
#15
mmkhan
-
- Members
-
- 36 posts
Private First Class
Posted 13 July 2005 - 12:04 AM
you can also spoof your address to hide where the attacks are coming from.
then i think u will create a DOS on the network.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
