Re: ARP Poisoning

From: Matt Hemingway (matt@supplyedge.com)
Date: 11/08/02 

From: Matt Hemingway <matt@supplyedge.com>
To: "Trevor Cushen" <Trevor.Cushen@sysnet.ie>, "Michael Ungar" <m_ungar@yahoo.com>
Date: Fri, 8 Nov 2002 10:51:39 -0800

Have you looked at Arpwatch:

http://online.securityfocus.com/tools/142

I use it and am very impressed and thankfull that I have it. Occasionally
laptops will still carry the IP address of the home DSL/Cable connection and
once they connect to our network that will get reported and cause a false
alarm, better than no alarm.

-Matt

On Friday 08 November 2002 02:31 am, Trevor Cushen wrote:
> Hello Michael,
>
> I am looking at that at the moment. Encryption is the best way to go to
> protect against sniffing and there are millions of ways to enable it
> around a network in one form or another.
>
> On the other side I am putting together a series of perl scripts and web
> front ends to monitor devices on the network because I want to detect
> new and unauthorised MAC addresses on my network.
>
> Ettercap has a flag that will detect arp poisoning on the network as
> well as a flag for running arp requests across the network. What I have
> done is set this up to test my network at MAC level only.
>
> I gather the results and match it off against a list of my valid mac
> addresses etc etc. A nice colour coded web front end will show red for
> unrecognised and online mac addresses. Green online and recognised etc.
> A history option to tell me when machines went online and offline.
>
> This way if any new device is added to my network then I know about it
> even if it does spoof the mac address later to sniff only. This came
> about after it was suspected that people could come in with laptops and
> copy of files which of course will not trigger any IDS system as it is
> valid traffic.
>
> But if a wireless AP was added to the network then I will detect that
> too because it will be an unknown MAC address.
>
> I am nearly finished developing this but if anyone knows of a utility
> that already does this well then please let me know.
>
> Trevor Cushen
> Sysnet Ltd
>
> www.sysnet.ie
> Tel: +353 1 2983000
> Fax: +353 1 2960499
>
>
>
> -----Original Message-----
> From: Michael Ungar [mailto:m_ungar@yahoo.com]
> Sent: 07 November 2002 04:27
> To: security-basics@securityfocus.com
> Subject: ARP Poisoning
>
>
> From security books I've read it's not hard to
> eavesdrop on network communication using tools like
> dsniff, even in a switched environment. My
> understanding is that it is accomplished quite easily
> by ARP poisoning your victim in thinking your
> machine's MAC as the router MAC & after interception, re-forwarding the
> traffic back to the true router MAC.
>
> Assuming the network environment is large (e.g.,
> configuring port switches for specific MAC addresses
> not practical) & desktop security cannot be guaranteed
> (and thereby cannot prevent people from allowing
> machines to IP forward), how can one defend against
> other than encrypting data.
>
> Thanks....Mike
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2
>
>
> ***************************************************************************
>***********
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
>
> If you have received this message in error please notify SYSNET Ltd., at
> telephone no: +353-1-2983000 or postmaster@sysnet.ie
>
> ***************************************************************************
>*********** 

-- 
----------
Matt Hemingway
matt.hemingway@pcnalert.com
http://www.pcnalert.com
626-585-2788 x136
----------

Relevant Pages

  • TidBITS#794/29-Aug-05
    ... This week's issue brings a potpourri of Mac news, ... Mark Anbinder looks briefly at Google Talk, ... Adding Tiger's AirPort Preferred Network List ...
    (comp.sys.mac.digest)
  • RE: ARP Poisoning
    ... Encryption is the best way to go to ... around a network in one form or another. ... Ettercap has a flag that will detect arp poisoning on the network as ... done is set this up to test my network at MAC level only. ...
    (Security-Basics)
  • Apples new software may steal the show
    ... Steve Jobs, Apple Computer's co-founder and performer in chief, rarely shows any reluctance to sell -- or even over-sell -- his company's accomplishments. ... Jobs spent only about five minutes talking about what I see as the big news of the day: Apple's first software for using a home network through a television screen rather than a computer monitor. ... Apple's Mac OS X, the software running all its Macintosh computers, also has built-in features for easily connecting Macs in a network. ...
    (comp.sys.mac.advocacy)
  • Re: About War Driving ..
    ... However, MAC filtering does not qualify as defense in depth, ... because the attacker can spoof a valid IP address. ... broadcasting the SSID doesn't hide a network, but just makes it show up ... machines in your building that you can control and check the MAC ...
    (Security-Basics)
  • Re: Wired security improvements
    ... I have a lot of experience with 802.1x in a wireless environment and it ... option than MAC Authentication via RADIUS as far as security is concerned, ... it can only provide a weak form of network authentication. ...
    (Security-Basics)
Quantcast