Re: ARP Poisoning

[Matt Hemingway <matt () supplyedge com>]

Have you looked at Arpwatch:

http://online.securityfocus.com/tools/142

I use it and am very impressed and thankfull that I have it.  Occasionally 
laptops will still carry the IP address of the home DSL/Cable connection and 
once they connect to our network that will get reported and cause a false 
alarm, better than no alarm.

-Matt

On Friday 08 November 2002 02:31 am, Trevor Cushen wrote:
> Hello Michael,
>
> I am looking at that at the moment.  Encryption is the best way to go to
> protect against sniffing and there are millions of ways to enable it
> around a network in one form or another.
>
> On the other side I am putting together a series of perl scripts and web
> front ends to monitor devices on the network because I want to detect
> new and unauthorised MAC addresses on my network.
>
> Ettercap has a flag that will detect arp poisoning on the network as
> well as a flag for running arp requests across the network.  What I have
> done is set this up to test my network at MAC level only.
>
> I gather the results and match it off against a list of my valid mac
> addresses etc etc.  A nice colour coded web front end will show red for
> unrecognised and online mac addresses.  Green online and recognised etc.
> A history option to tell me when machines went online and offline.
>
> This way if any new device is added to my network then I know about it
> even if it does spoof the mac address later to sniff only.  This came
> about after it was suspected that people could come in with laptops and
> copy of files which of course will not trigger any IDS system as it is
> valid traffic.
>
> But if a wireless AP was added to the network then I will detect that
> too because it will be an unknown MAC address.
>
> I am nearly finished developing this but if anyone knows of a utility
> that already does this well then please let me know.
>
> Trevor Cushen
> Sysnet Ltd
>
> www.sysnet.ie
> Tel: +353 1 2983000
> Fax: +353 1 2960499
>
>
>
> -----Original Message-----
> From: Michael Ungar [mailto:m_ungar () yahoo com]
> Sent: 07 November 2002 04:27
> To: security-basics () securityfocus com
> Subject: ARP Poisoning
>
>
> From security books I've read it's not hard to
> eavesdrop on network communication using tools like
> dsniff, even in a switched environment. My
> understanding is that it is accomplished quite easily
> by ARP poisoning your victim in thinking your
> machine's MAC as the router MAC & after interception, re-forwarding the
> traffic back to the true router MAC.
>
> Assuming the network environment is large (e.g.,
> configuring port switches for specific MAC addresses
> not practical) & desktop security cannot be guaranteed
> (and thereby cannot prevent people from allowing
> machines to IP forward), how can one defend against
> other than encrypting data.
>
> Thanks....Mike
>
>
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2
>
>
> ***************************************************************************
> ***********
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
>
> If you have received this message in error please notify SYSNET Ltd., at
> telephone no: +353-1-2983000 or postmaster () sysnet ie
>
> ***************************************************************************
> ***********

-- 
----------
Matt Hemingway
matt.hemingway () pcnalert com
http://www.pcnalert.com
626-585-2788 x136
----------