Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ARP spoofing

ARP spoofing 11 years 3 months ago #8799

  • pndennie
  • pndennie's Avatar
  • Offline
  • Frequent Member
  • Posts: 29
  • Karma: 0
We recently has a pen test done on our inside network. The major issue found was that ARP spoofing attack revealed numerous pathways to finding information. I have been tasked on how to minimize this issue from an internal stand point. If anybody has any ideas or can point me to so docs that cna help me with this I would appreciate it......
The administrator has disabled public write access.

Re: ARP spoofing 11 years 3 months ago #8804

  • randy
  • randy's Avatar
  • Offline
  • New Member
  • Posts: 14
  • Karma: 0
I have done a little bit of experimenting with arpspoof on my home network. I'm using arpwatch with FreeBSD to detect any mac address changes on my network. For my example I used arpwatch while I was running arpspoof on my home network. Here is how I set up arpwatch on my nix box:

arpwatch -i dc0 -m This email address is being protected from spambots. You need JavaScript enabled to view it. &

The m flag will have any changes in the arpwatch table emailed to you. Shown below is what was sent after arpwatch detected a mac address change:


N 14 This email address is being protected from spambots. You need JavaScript enabled to view it. Wed Mar 9 13:05 25/1100 changed ethernet address (toshiba-user.com)

Message 14:
From This email address is being protected from spambots. You need JavaScript enabled to view it. Wed Mar 9 13:05:05 2005
Date: Wed, 9 Mar 2005 13:04:46 -0500 (EST)
From: This email address is being protected from spambots. You need JavaScript enabled to view it. (Arpwatch)
To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: changed ethernet address (toshiba-user.com)

hostname: toshiba-user.com
ip address: 192.168.10.2
ethernet address: 8:0:9:0:a:0
ethernet vendor: HEWLETT PACKARD
old ethernet address: 0:d:88:74:78:4a
old ethernet vendor: D-Link Corporation
timestamp: Wednesday, March 9, 2005 13:03:57 -0500
previous timestamp: Wednesday, March 9, 2005 13:03:57 -0500
delta: 0 seconds


Here is the arpwatch database before arpspoof:

randy# cat arp.dat
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

Shown below is the arpwatch database table after I ran arpspoof. Notice that there are two new mac address entries (08:00:09:00:0a:00).

randy# cat arp.dat

08:00:09:00:0a:00 192.168.10.1 (gateway)
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
08:00:09:00:0a:00 192.168.10.2 toshiba-user (victim)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

randy# ifconfig
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.10.11 netmask 0xffffff00 broadcast 192.168.10.255
ether 08:00:09:00:0a:00
[/b]
The administrator has disabled public write access.

Re: ARP spoofing 11 years 3 months ago #8832

  • pndennie
  • pndennie's Avatar
  • Offline
  • Frequent Member
  • Posts: 29
  • Karma: 0
Thanks for the info
The administrator has disabled public write access.

Re: ARP spoofing 11 years 3 months ago #8841

  • LooseCannon
  • LooseCannon's Avatar
  • Offline
  • Frequent Member
  • Posts: 64
  • Karma: 0
You might want to check out Port Security if using Cisco switches.
The administrator has disabled public write access.

Re: ARP spoofing 11 years 3 months ago #8906

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Hmm port security and arpwatch are your best bets..

However your pen-test team is really overstating the issue if they are telling you that arp spoofing is a major vulnerability in your network..

It probably means they didn't find much else to break into on the servers and other targets..


Recommend you download a few arp spoofing tools -- such as ettercap, and see what their limitations are... then play to those..

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.
Time to create page: 0.089 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup