ARP spoofing

We recently has a pen test done on our inside network. The major issue found was that ARP spoofing attack revealed numerous pathways to finding information. I have been tasked on how to minimize this issue from an internal stand point. If anybody has any ideas or can point me to so docs that cna help me with this I would appreciate it......

I have done a little bit of experimenting with arpspoof on my home network. I'm using arpwatch with FreeBSD to detect any mac address changes on my network. For my example I used arpwatch while I was running arpspoof on my home network. Here is how I set up arpwatch on my nix box:

arpwatch -i dc0 -m user@my.testbox.com &

The m flag will have any changes in the arpwatch table emailed to you. Shown below is what was sent after arpwatch detected a mac address change:


N 14 arpwatch@me.test Wed Mar 9 13:05 25/1100 changed ethernet address (toshiba-user.com)

Message 14:
From user@my.testbox.com Wed Mar 9 13:05:05 2005
Date: Wed, 9 Mar 2005 13:04:46 -0500 (EST)
From: arpwatch@my.testbox.com (Arpwatch)
To: user@my.testbox.com
Subject: changed ethernet address (toshiba-user.com)

hostname: toshiba-user.com
ip address: 192.168.10.2
ethernet address: 8:0:9:0:a:0
ethernet vendor: HEWLETT PACKARD
old ethernet address: 0:d:88:74:78:4a
old ethernet vendor: D-Link Corporation
timestamp: Wednesday, March 9, 2005 13:03:57 -0500
previous timestamp: Wednesday, March 9, 2005 13:03:57 -0500
delta: 0 seconds


Here is the arpwatch database before arpspoof:

randy# cat arp.dat
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

Shown below is the arpwatch database table after I ran arpspoof. Notice that there are two new mac address entries (08:00:09:00:0a:00).

randy# cat arp.dat

08:00:09:00:0a:00 192.168.10.1 (gateway)
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
08:00:09:00:0a:00 192.168.10.2 toshiba-user (victim)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

randy# ifconfig
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.10.11 netmask 0xffffff00 broadcast 192.168.10.255
ether 08:00:09:00:0a:00
[/b]

Thanks for the info

You might want to check out Port Security if using Cisco switches.

Hmm port security and arpwatch are your best bets..

However your pen-test team is really overstating the issue if they are telling you that arp spoofing is a major vulnerability in your network..

It probably means they didn't find much else to break into on the servers and other targets..


Recommend you download a few arp spoofing tools -- such as ettercap, and see what their limitations are... then play to those..

Cheers,