Security Basics mailing list archives
Re: ARP Poisoning
From: Matt Hemingway <matt () supplyedge com>
Date: Fri, 8 Nov 2002 10:51:39 -0800
Have you looked at Arpwatch: http://online.securityfocus.com/tools/142 I use it and am very impressed and thankfull that I have it. Occasionally laptops will still carry the IP address of the home DSL/Cable connection and once they connect to our network that will get reported and cause a false alarm, better than no alarm. -Matt On Friday 08 November 2002 02:31 am, Trevor Cushen wrote:
Hello Michael, I am looking at that at the moment. Encryption is the best way to go to protect against sniffing and there are millions of ways to enable it around a network in one form or another. On the other side I am putting together a series of perl scripts and web front ends to monitor devices on the network because I want to detect new and unauthorised MAC addresses on my network. Ettercap has a flag that will detect arp poisoning on the network as well as a flag for running arp requests across the network. What I have done is set this up to test my network at MAC level only. I gather the results and match it off against a list of my valid mac addresses etc etc. A nice colour coded web front end will show red for unrecognised and online mac addresses. Green online and recognised etc. A history option to tell me when machines went online and offline. This way if any new device is added to my network then I know about it even if it does spoof the mac address later to sniff only. This came about after it was suspected that people could come in with laptops and copy of files which of course will not trigger any IDS system as it is valid traffic. But if a wireless AP was added to the network then I will detect that too because it will be an unknown MAC address. I am nearly finished developing this but if anyone knows of a utility that already does this well then please let me know. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: Michael Ungar [mailto:m_ungar () yahoo com] Sent: 07 November 2002 04:27 To: security-basics () securityfocus com Subject: ARP Poisoning From security books I've read it's not hard to eavesdrop on network communication using tools like dsniff, even in a switched environment. My understanding is that it is accomplished quite easily by ARP poisoning your victim in thinking your machine's MAC as the router MAC & after interception, re-forwarding the traffic back to the true router MAC. Assuming the network environment is large (e.g., configuring port switches for specific MAC addresses not practical) & desktop security cannot be guaranteed (and thereby cannot prevent people from allowing machines to IP forward), how can one defend against other than encrypting data. Thanks....Mike __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 *************************************************************************** *********** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie *************************************************************************** ***********
-- ---------- Matt Hemingway matt.hemingway () pcnalert com http://www.pcnalert.com 626-585-2788 x136 ----------
Current thread:
- ARP Poisoning Michael Ungar (Nov 07)
- Re: ARP Poisoning Matt Hemingway (Nov 08)
- Re: ARP Poisoning ATD (Nov 09)
- <Possible follow-ups>
- Re: ARP Poisoning brien mac (Nov 08)
- RE: ARP Poisoning Trevor Cushen (Nov 08)
- Re: ARP Poisoning Jeff Dickison (Nov 09)
- Re: ARP Poisoning Matt Hemingway (Nov 09)
- RE: Arp Poisoning anyluser (Nov 09)