Welcome to Firewall.cx   Cisco Technical Knowledgebase
Modules
· Home
· Alternative Menu
· Amazon
· Cisco Decrypter
· Cisco Lab Partners
· Feedback
· Forums
· Max Arcade
· Private Messages
· Recommend Us
· Statistics
· Stories Archive
· Submit News
· Surveys
· Topics
· Web Links
· Your Account
 
Cisco Knowledgebase Articles
 
Site Info
Your IP: 38.107.191.112

Welcome, Anonymous
Nickname
Password

· Register
· Lost Password
Server Date/Time
31 July 2010 13:41:15 EEST (GMT +3)
 
Top Downloads
 
Gold Lab Partners


 
Firewall.cx: Forums

Firewall.cx :: View topic - ARP spoofing
Forums Home
Forum FAQ :: Search :: Memberlist :: Usergroups
Profile :: Log in to check your private messages :: Log in

ARP spoofing
 View next topic
View previous topic
Post new topic   Reply to topic  Firewall.cx Forum Index » Firewall Filtering, IDS/IPS & Security
Author Message
pndennie
Occasional Member
Occasional Member


Joined: Oct 14, 2003
Posts: 29
PostPosted: Mon Jun 13, 2005 5:06 pm    Post subject: ARP spoofing Reply with quote
We recently has a pen test done on our inside network. The major issue found was that ARP spoofing attack revealed numerous pathways to finding information. I have been tasked on how to minimize this issue from an internal stand point. If anybody has any ideas or can point me to so docs that cna help me with this I would appreciate it......
Back to top
View user's profile Send private message
randy
New Member
New Member


Joined: Nov 22, 2004
Posts: 14
PostPosted: Tue Jun 14, 2005 2:25 am    Post subject: Reply with quote
I have done a little bit of experimenting with arpspoof on my home network. I'm using arpwatch with FreeBSD to detect any mac address changes on my network. For my example I used arpwatch while I was running arpspoof on my home network. Here is how I set up arpwatch on my nix box:

arpwatch -i dc0 -m user@my.testbox.com &

The m flag will have any changes in the arpwatch table emailed to you. Shown below is what was sent after arpwatch detected a mac address change:


N 14 arpwatch@me.test Wed Mar 9 13:05 25/1100 changed ethernet address (toshiba-user.com)

Message 14:
From user@my.testbox.com Wed Mar 9 13:05:05 2005
Date: Wed, 9 Mar 2005 13:04:46 -0500 (EST)
From: arpwatch@my.testbox.com (Arpwatch)
To: user@my.testbox.com
Subject: changed ethernet address (toshiba-user.com)

hostname: toshiba-user.com
ip address: 192.168.10.2
ethernet address: 8:0:9:0:a:0
ethernet vendor: HEWLETT PACKARD
old ethernet address: 0:d:88:74:78:4a
old ethernet vendor: D-Link Corporation
timestamp: Wednesday, March 9, 2005 13:03:57 -0500
previous timestamp: Wednesday, March 9, 2005 13:03:57 -0500
delta: 0 seconds


Here is the arpwatch database before arpspoof:

randy# cat arp.dat
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

Shown below is the arpwatch database table after I ran arpspoof. Notice that there are two new mac address entries (08:00:09:00:0a:00).

randy# cat arp.dat

08:00:09:00:0a:00 192.168.10.1 (gateway)
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
08:00:09:00:0a:00 192.168.10.2 toshiba-user (victim)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

randy# ifconfig
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.10.11 netmask 0xffffff00 broadcast 192.168.10.255
ether 08:00:09:00:0a:00
[/b]
Back to top
View user's profile Send private message
pndennie
Occasional Member
Occasional Member


Joined: Oct 14, 2003
Posts: 29
PostPosted: Wed Jun 15, 2005 9:58 pm    Post subject: Reply with quote
Thanks for the info
Back to top
View user's profile Send private message
LooseCannon
Occasional Member
Occasional Member


Joined: Mar 04, 2005
Posts: 64
Location: London, ON
PostPosted: Thu Jun 16, 2005 2:56 am    Post subject: Reply with quote
You might want to check out Port Security if using Cisco switches.
Back to top
View user's profile Send private message
sahirh
Associate Editor & Security Advisor


Joined: Aug 14, 2003
Posts: 1699
Location: Mumbai, India.
PostPosted: Sun Jun 19, 2005 7:59 pm    Post subject: Reply with quote
Hmm port security and arpwatch are your best bets..

However your pen-test team is really overstating the issue if they are telling you that arp spoofing is a major vulnerability in your network..

It probably means they didn't find much else to break into on the servers and other targets..


Recommend you download a few arp spoofing tools -- such as ettercap, and see what their limitations are... then play to those..

Cheers,
_________________
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
http://tftfotw.blogspot.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic  Firewall.cx Forum Index » Firewall Filtering, IDS/IPS & Security


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum




smartDark Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
 
Forums ©

© Copyright 2000-2010 Firewall.cx - All Rights Reserved

Copyright of all documents and images belonging to this site by Firewall.cx. Information contained on this site is copyrighted material.

It is illegal to copy or redistribute this information in any way without the written consent of Firewall.cx


Firewall.cx disclaims any responsibility for software and information obtained through this site or its links.


Page Generation: 0.37 Seconds