Skip to main content

ARP spoofing

More
19 years 5 months ago #8799 by pndennie
ARP spoofing was created by pndennie
We recently has a pen test done on our inside network. The major issue found was that ARP spoofing attack revealed numerous pathways to finding information. I have been tasked on how to minimize this issue from an internal stand point. If anybody has any ideas or can point me to so docs that cna help me with this I would appreciate it......
More
19 years 5 months ago #8804 by randy
Replied by randy on topic Re: ARP spoofing
I have done a little bit of experimenting with arpspoof on my home network. I'm using arpwatch with FreeBSD to detect any mac address changes on my network. For my example I used arpwatch while I was running arpspoof on my home network. Here is how I set up arpwatch on my nix box:

arpwatch -i dc0 -m user@my.testbox.com &

The m flag will have any changes in the arpwatch table emailed to you. Shown below is what was sent after arpwatch detected a mac address change:


N 14 arpwatch@me.test Wed Mar 9 13:05 25/1100 changed ethernet address (toshiba-user.com)

Message 14:
From user@my.testbox.com Wed Mar 9 13:05:05 2005
Date: Wed, 9 Mar 2005 13:04:46 -0500 (EST)
From: arpwatch@my.testbox.com (Arpwatch)
To: user@my.testbox.com
Subject: changed ethernet address (toshiba-user.com)

hostname: toshiba-user.com
ip address: 192.168.10.2
ethernet address: 8:0:9:0:a:0
ethernet vendor: HEWLETT PACKARD
old ethernet address: 0:d:88:74:78:4a
old ethernet vendor: D-Link Corporation
timestamp: Wednesday, March 9, 2005 13:03:57 -0500
previous timestamp: Wednesday, March 9, 2005 13:03:57 -0500
delta: 0 seconds


Here is the arpwatch database before arpspoof:

randy# cat arp.dat
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

Shown below is the arpwatch database table after I ran arpspoof. Notice that there are two new mac address entries (08:00:09:00:0a:00).

randy# cat arp.dat

08:00:09:00:0a:00 192.168.10.1 (gateway)
00:0f:3d:3a:c1:0c 192.168.10.1 (gateway)
08:00:09:00:0a:00 192.168.10.2 toshiba-user (victim)
00:0d:88:74:78:4a 192.168.10.2 toshiba-user (victim)
00:40:ca:87:99:ad 192.168.10.3
00:0d:88:59:2d:d6 192.168.10.4
00:0d:88:74:78:4b 192.168.10.5
08:00:09:00:0a:00 192.168.10.11 randy (attacker)
randy#

randy# ifconfig
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.10.11 netmask 0xffffff00 broadcast 192.168.10.255
ether 08:00:09:00:0a:00
[/b]
More
19 years 4 months ago #8832 by pndennie
Replied by pndennie on topic Re: ARP spoofing
Thanks for the info
More
19 years 4 months ago #8841 by LooseCannon
Replied by LooseCannon on topic Re: ARP spoofing
You might want to check out Port Security if using Cisco switches.
More
19 years 4 months ago #8906 by sahirh
Replied by sahirh on topic Re: ARP spoofing
Hmm port security and arpwatch are your best bets..

However your pen-test team is really overstating the issue if they are telling you that arp spoofing is a major vulnerability in your network..

It probably means they didn't find much else to break into on the servers and other targets..


Recommend you download a few arp spoofing tools -- such as ettercap, and see what their limitations are... then play to those..

Cheers,

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.142 seconds