Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > ARP Spoofing, countermeasures against attack?

Reply
Thread Tools

ARP Spoofing, countermeasures against attack?

 
 
Joe Hanes
Guest
Posts: n/a
 
      12-02-2004
Hi,

I have tested a tool called cain (Cain and Abel). With tool, I could
launch man in the middle attacks within seconds. I tested it in a lan,
university lan to be specific. With ease, I could link myself between my
victims computer and the switch. Furthermore, I was able to log every
piece of data that was being sent from my victims computer. Even https
and ssh connections were readable in plaintext.

Question:
I am surprised, that it has become so easy to do such things. Are there
any countermeasures? Since I don't want everyone at the university to
see my passwords.

Cheers

Joe
 
Reply With Quote
 
 
 
 
donnie
Guest
Posts: n/a
 
      12-03-2004
On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes <(E-Mail Removed)>
wrote:

>Hi,
>
>I have tested a tool called cain (Cain and Abel). With tool, I could
>launch man in the middle attacks within seconds. I tested it in a lan,
>university lan to be specific. With ease, I could link myself between my
>victims computer and the switch. Furthermore, I was able to log every
>piece of data that was being sent from my victims computer. Even https
>and ssh connections were readable in plaintext.
>
>Question:
>I am surprised, that it has become so easy to do such things. Are there
>any countermeasures? Since I don't want everyone at the university to
>see my passwords.
>
>Cheers
>
>Joe

#####################
Search google for
packet sniffer detector
donnie
 
Reply With Quote
 
 
 
 
nemo outis
Guest
Posts: n/a
 
      12-03-2004
In article <(E-Mail Removed)>,
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
>On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes <(E-Mail Removed)>
>wrote:
>
>>Hi,
>>
>>I have tested a tool called cain (Cain and Abel). With tool, I could
>>launch man in the middle attacks within seconds. I tested it in a lan,
>>university lan to be specific. With ease, I could link myself between my
>>victims computer and the switch. Furthermore, I was able to log every
>>piece of data that was being sent from my victims computer. Even https
>>and ssh connections were readable in plaintext.
>>
>>Question:
>>I am surprised, that it has become so easy to do such things. Are there
>>any countermeasures? Since I don't want everyone at the university to
>>see my passwords.
>>
>>Cheers
>>
>>Joe

>#####################
>Search google for
>packet sniffer detector
>donnie



Funny you should mention packet sniffers.

You'd think it would be easy to sniff undetected - it's
supposedly purely passive - but it's NOT easy!

There are all kinds of things anti-sniffers can do (right down to
timing on broadcast floods, etc.) to detect that a sniffer is on
the line. Anti-sniffing has gotten quite good.

Yes, some people will just put their card in promiscuous mode
(actually, it's amazing how few card's drivers support doing this
any more, even if the hardware does!). That may work against
your kid sister as sysadmin but not against anyone more
sophisticated.

And, as the next step, you can depend on turning off ARP, the
protocol/network stack, ports, etc. (but many stacks are badly
implemented and will respond to some things that they
shouldn't.). Trying to solve in software what is really a
hardware problem is fraught with risk - no, there are better ways
to sniff silently.

So, to counter good anti-sniffing, you want a TRULY passive
sniffer, one that listens only and transmits NOTHING. Used to be
easier in the old days, but it's a bit harder now since
everything has gone RJ45 - the heartbeat is multiplexed on the
pins, etc. (The old days just needed a NIC with an AUI connector
instead/additional to the RJ45 one and one AUI transceiver. But
AUI nicks are scarce these days - although I have and use one!)

So here's what you do instead. Go buy (or find in the clearance
bin or a second hand electronics store) two old AUI transceivers
(AUI by RJ45) and connect them back to back on the AUI side
(you'll need a Fx F cable, or if you're lucky like me, you'll
find and use a Fx F mini_D two-sided connector). Put a regular
twisted pair cable on each side of the AUI to AUI device you just
made and that's the overall cable you use to sniff (one end in
your RJ45 NIC, the other in the RJ45 wall plug going to the hub).

Here's the trick: on one of the AUIs cut off the 3 and 10 pins (I
think - I'd have to look at a pinout diagram). Voila, no more
transmit - utterly silent & listen only.

You can go further if you wish (but it's almost never necessary)
in case the sysadmin is a super paranoid who has matched MACs to
hub ports and wonders why there's suddenly an extra port being
used. But I'll leave that for another day.

Use the sniffer software of your choice in conjunction with my
silent hardware sniffing cable.

Regards,





 
Reply With Quote
 
Pete
Guest
Posts: n/a
 
      12-03-2004
On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes wrote:

> Furthermore, I was able to log every
> piece of data that was being sent from my victims computer. Even https
> and ssh connections were readable in plaintext.


Sorry for not answering your question, but I'm curious to know how you
were able to view, in plaintext, ssh and https data. Surely the whole
point of these protocols is to prevent passwords and confidential data
from being tapped in the way you've described.

I would have thought that only the encrypted transmissions would be
captured, and as they're encrypted, no useful information could be gleaned
from them.

Whilst I acknowledge that nothing is 100% secure, I thought the
aforementioned protocols were only vulnerable to such things as keyloggers
installed on the host sending out the data.

I apologise if I've misread and misunderstood your post. But my
understanding of these protocols is going to have to be reviewed if what
you say is correct. Damn, more reading.

Regards,

Pete.
 
Reply With Quote
 
donnie
Guest
Posts: n/a
 
      12-04-2004
On Fri, 03 Dec 2004 05:02:10 GMT, nemo (E-Mail Removed) (nemo outis)
wrote:

>And, as the next step, you can depend on turning off ARP, the
>protocol/network stack, ports, etc. (but many stacks are badly
>implemented and will respond to some things that they
>shouldn't.). Trying to solve in software what is really a
>hardware problem is fraught with risk - no, there are better ways
>to sniff silently.
>
>So, to counter good anti-sniffing, you want a TRULY passive
>sniffer, one that listens only and transmits NOTHING. Used to be
>easier in the old days, but it's a bit harder now since
>everything has gone RJ45 - the heartbeat is multiplexed on the
>pins, etc. (The old days just needed a NIC with an AUI connector
>instead/additional to the RJ45 one and one AUI transceiver. But
>AUI nicks are scarce these days - although I have and use one!)
>
>So here's what you do instead. Go buy (or find in the clearance
>bin or a second hand electronics store) two old AUI transceivers
>(AUI by RJ45) and connect them back to back on the AUI side
>(you'll need a Fx F cable, or if you're lucky like me, you'll
>find and use a Fx F mini_D two-sided connector). Put a regular
>twisted pair cable on each side of the AUI to AUI device you just
>made and that's the overall cable you use to sniff (one end in
>your RJ45 NIC, the other in the RJ45 wall plug going to the hub).
>
>Here's the trick: on one of the AUIs cut off the 3 and 10 pins (I
>think - I'd have to look at a pinout diagram). Voila, no more
>transmit - utterly silent & listen only.
>
>You can go further if you wish (but it's almost never necessary)
>in case the sysadmin is a super paranoid who has matched MACs to
>hub ports and wonders why there's suddenly an extra port being
>used. But I'll leave that for another day.
>
>Use the sniffer software of your choice in conjunction with my
>silent hardware sniffing cable.

#####################
That was excellent information.
donnie
 
Reply With Quote
 
nemo outis
Guest
Posts: n/a
 
      12-04-2004
In article <(E-Mail Removed)>, (E-Mail Removed) wrote:
>On Fri, 03 Dec 2004 05:02:10 GMT, nemo (E-Mail Removed) (nemo outis)

...
>>Use the sniffer software of your choice in conjunction with my
>>silent hardware sniffing cable.

>#####################
>That was excellent information.
>donnie


Thanks.

There was someone mouthing off the other day about how this group
should be closed and available only to white hats, etc.

Aside from the fact that the white hats aren't nearly so white,
nor the blacks hats so black, as he thinks, he misses a key point
that Sun Tzu could have told him 2400 years ago: Learn the other
sides capabilities and methods.

Regards,



 
Reply With Quote
 
cacophony
Guest
Posts: n/a
 
      12-04-2004
Joe Hanes wrote:

> Hi,
>
> I have tested a tool called cain (Cain and Abel). With tool, I could
> launch man in the middle attacks within seconds. I tested it in a lan,
> university lan to be specific. With ease, I could link myself between my
> victims computer and the switch. Furthermore, I was able to log every
> piece of data that was being sent from my victims computer. Even https
> and ssh connections were readable in plaintext.
>
> Question:
> I am surprised, that it has become so easy to do such things. Are there
> any countermeasures? Since I don't want everyone at the university to
> see my passwords.
>
> Cheers
>
> Joe


IIRC, ettercap has a plugin for detecting an ARP cache poisoning attack.
 
Reply With Quote
 
donnie
Guest
Posts: n/a
 
      12-04-2004
On Sat, 04 Dec 2004 06:44:55 GMT, nemo (E-Mail Removed) (nemo outis)
wrote:

>>That was excellent information.
>>donnie

>
>Thanks.
>
>There was someone mouthing off the other day about how this group
>should be closed and available only to white hats, etc.
>
>Aside from the fact that the white hats aren't nearly so white,
>nor the blacks hats so black, as he thinks, he misses a key point
>that Sun Tzu could have told him 2400 years ago: Learn the other
>sides capabilities and methods.
>
>Regards,

#########################
It's good to see that someone else knows about Sun Tzu and what he
taught about knowing yourself and knowing the enemy. Both are needed
to win.
There was also a guy named Lao Tzu. I'm sure there was no relation.
One of his quotes is 'Be as careful at the end as you were at the
beginning."
I was working w/ a carpenter building a deck. There was a glass table
there and I wanted to cut latice on it but my boss told me that it
might break and to cut it somewhere else. Towards the end of the day,
he said that he was getting tired of the job as it was the eitgth day.
I quoted the above quote by Lao Tzu and he asked, "Who is he, some
chinc?" A short time later he threw a piece of wood towards the scrap
pile and it went right through the glass table.
donnie
 
Reply With Quote
 
nemo outis
Guest
Posts: n/a
 
      12-05-2004
In article <(E-Mail Removed)>, (E-Mail Removed) wrote:
>On Sat, 04 Dec 2004 06:44:55 GMT, nemo (E-Mail Removed) (nemo outis)
>wrote:
>
>>>That was excellent information.
>>>donnie

>>
>>Thanks.
>>
>>There was someone mouthing off the other day about how this group
>>should be closed and available only to white hats, etc.
>>
>>Aside from the fact that the white hats aren't nearly so white,
>>nor the blacks hats so black, as he thinks, he misses a key point
>>that Sun Tzu could have told him 2400 years ago: Learn the other
>>sides capabilities and methods.
>>
>>Regards,

>#########################
>It's good to see that someone else knows about Sun Tzu and what he
>taught about knowing yourself and knowing the enemy. Both are needed
>to win.
>There was also a guy named Lao Tzu. I'm sure there was no relation.
>One of his quotes is 'Be as careful at the end as you were at the
>beginning."
>I was working w/ a carpenter building a deck. There was a glass table
>there and I wanted to cut latice on it but my boss told me that it
>might break and to cut it somewhere else. Towards the end of the day,
>he said that he was getting tired of the job as it was the eitgth day.
>I quoted the above quote by Lao Tzu and he asked, "Who is he, some
>chinc?" A short time later he threw a piece of wood towards the scrap
>pile and it went right through the glass table.
>donnie



Good point.

 
Reply With Quote
 
winged
Guest
Posts: n/a
 
      12-09-2004
SSL has had a weak point first identified in 2002 (if memory serves)
where if one is in the middle of the transaction the negotiated keys can
readily be intercepted and with the appropriate software observe the
data in real time, logging the session is no issue. Here is an article
published in the time frame on the vulnerability.

http://www.ems-global.com/view.asp?webpage=3256

Somehow everyone has forgotten this vulnerability because we all made
our SSL 128 bit and that fixed everything. Wrong answer, as you guessed
it, the keys are still negotiated. Any encryption scheme that uses
negotiated keys is vulnerable to man in the middle as well as sniffed
sessions that can be readily decrypted. The only secure key is one
where the key is private at both ends and a suitable encryption scheme
is implemented There are several public/private key schemes that are
very difficult to intercept and decipher but SSL has its issues.
Hopefully one has the appropriate IDS tools on their network that can
detect an ARP attack. But if I am sniffing your gateway the session
"can" be observed (alternate to ARP attack).

Tools like "Cain" will allow you to view SSL Data. Properly implemented
ssh (where keys are private at both ends and not negotiated) is
impervious. Negotiated keys are vulnerable as the Cain tool intercepts
the negotiated key data as man in the middle (ARP attack). Additionally
there is an ssh vulnerability (multiple vendors) that was in todays cert
advisory, that might be of interest to some here:

http://www.us-cert.gov/cas/bulletins...3.html#openssh

I highly recommend anyone interested in computer security subscribe to
the CERT technical advisories, it is a wealth of information no matter
what color your hat.

To subscribe to the weekly technical cyber security advisories:
http://www.us-cert.gov/cas/signup.html They are usually very
informative on the various potential compromise exploits. While I have
seen things they miss, they are a very good source of information.

Winged





Pete wrote:
> On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes wrote:
>
>
>>Furthermore, I was able to log every
>>piece of data that was being sent from my victims computer. Even https
>>and ssh connections were readable in plaintext.

>
>
> Sorry for not answering your question, but I'm curious to know how you
> were able to view, in plaintext, ssh and https data. Surely the whole
> point of these protocols is to prevent passwords and confidential data
> from being tapped in the way you've described.
>
> I would have thought that only the encrypted transmissions would be
> captured, and as they're encrypted, no useful information could be gleaned
> from them.
>
> Whilst I acknowledge that nothing is 100% secure, I thought the
> aforementioned protocols were only vulnerable to such things as keyloggers
> installed on the host sending out the data.
>
> I apologise if I've misread and misunderstood your post. But my
> understanding of these protocols is going to have to be reviewed if what
> you say is correct. Damn, more reading.
>
> Regards,
>
> Pete.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Google Releases iPhone Countermeasures Bucky Breeder Computer Support 1 01-07-2010 08:54 PM
Arp or Proxy Arp Darren Green Cisco 0 02-20-2009 09:38 PM
M$ against Blu-ray, M$ for Blu-ray, M$ against Blu-ray, M$ forBlu-ray, ...... Blig Merk DVD Video 66 04-27-2008 04:46 AM
Loss of DNS/ARP responses from Linksys WAG54G nospam Wireless Networking 6 02-15-2005 05:30 PM



Advertisments