ARP Spoofing, countermeasures against attack?

Discussion in 'Computer Security' started by Joe Hanes, Dec 2, 2004.

  1. Joe Hanes

    Joe Hanes Guest

    Hi,

    I have tested a tool called cain (Cain and Abel). With tool, I could
    launch man in the middle attacks within seconds. I tested it in a lan,
    university lan to be specific. With ease, I could link myself between my
    victims computer and the switch. Furthermore, I was able to log every
    piece of data that was being sent from my victims computer. Even https
    and ssh connections were readable in plaintext.

    Question:
    I am surprised, that it has become so easy to do such things. Are there
    any countermeasures? Since I don't want everyone at the university to
    see my passwords.

    Cheers

    Joe
     
    Joe Hanes, Dec 2, 2004
    #1
    1. Advertising

  2. Joe Hanes

    donnie Guest

    On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes <>
    wrote:

    >Hi,
    >
    >I have tested a tool called cain (Cain and Abel). With tool, I could
    >launch man in the middle attacks within seconds. I tested it in a lan,
    >university lan to be specific. With ease, I could link myself between my
    >victims computer and the switch. Furthermore, I was able to log every
    >piece of data that was being sent from my victims computer. Even https
    >and ssh connections were readable in plaintext.
    >
    >Question:
    >I am surprised, that it has become so easy to do such things. Are there
    >any countermeasures? Since I don't want everyone at the university to
    >see my passwords.
    >
    >Cheers
    >
    >Joe

    #####################
    Search google for
    packet sniffer detector
    donnie
     
    donnie, Dec 3, 2004
    #2
    1. Advertising

  3. Joe Hanes

    nemo outis Guest

    In article <>,
    wrote:
    >On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes <>
    >wrote:
    >
    >>Hi,
    >>
    >>I have tested a tool called cain (Cain and Abel). With tool, I could
    >>launch man in the middle attacks within seconds. I tested it in a lan,
    >>university lan to be specific. With ease, I could link myself between my
    >>victims computer and the switch. Furthermore, I was able to log every
    >>piece of data that was being sent from my victims computer. Even https
    >>and ssh connections were readable in plaintext.
    >>
    >>Question:
    >>I am surprised, that it has become so easy to do such things. Are there
    >>any countermeasures? Since I don't want everyone at the university to
    >>see my passwords.
    >>
    >>Cheers
    >>
    >>Joe

    >#####################
    >Search google for
    >packet sniffer detector
    >donnie



    Funny you should mention packet sniffers.

    You'd think it would be easy to sniff undetected - it's
    supposedly purely passive - but it's NOT easy!

    There are all kinds of things anti-sniffers can do (right down to
    timing on broadcast floods, etc.) to detect that a sniffer is on
    the line. Anti-sniffing has gotten quite good.

    Yes, some people will just put their card in promiscuous mode
    (actually, it's amazing how few card's drivers support doing this
    any more, even if the hardware does!). That may work against
    your kid sister as sysadmin but not against anyone more
    sophisticated.

    And, as the next step, you can depend on turning off ARP, the
    protocol/network stack, ports, etc. (but many stacks are badly
    implemented and will respond to some things that they
    shouldn't.). Trying to solve in software what is really a
    hardware problem is fraught with risk - no, there are better ways
    to sniff silently.

    So, to counter good anti-sniffing, you want a TRULY passive
    sniffer, one that listens only and transmits NOTHING. Used to be
    easier in the old days, but it's a bit harder now since
    everything has gone RJ45 - the heartbeat is multiplexed on the
    pins, etc. (The old days just needed a NIC with an AUI connector
    instead/additional to the RJ45 one and one AUI transceiver. But
    AUI nicks are scarce these days - although I have and use one!)

    So here's what you do instead. Go buy (or find in the clearance
    bin or a second hand electronics store) two old AUI transceivers
    (AUI by RJ45) and connect them back to back on the AUI side
    (you'll need a Fx F cable, or if you're lucky like me, you'll
    find and use a Fx F mini_D two-sided connector). Put a regular
    twisted pair cable on each side of the AUI to AUI device you just
    made and that's the overall cable you use to sniff (one end in
    your RJ45 NIC, the other in the RJ45 wall plug going to the hub).

    Here's the trick: on one of the AUIs cut off the 3 and 10 pins (I
    think - I'd have to look at a pinout diagram). Voila, no more
    transmit - utterly silent & listen only.

    You can go further if you wish (but it's almost never necessary)
    in case the sysadmin is a super paranoid who has matched MACs to
    hub ports and wonders why there's suddenly an extra port being
    used. But I'll leave that for another day.

    Use the sniffer software of your choice in conjunction with my
    silent hardware sniffing cable.

    Regards,
     
    nemo outis, Dec 3, 2004
    #3
  4. Joe Hanes

    Pete Guest

    On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes wrote:

    > Furthermore, I was able to log every
    > piece of data that was being sent from my victims computer. Even https
    > and ssh connections were readable in plaintext.


    Sorry for not answering your question, but I'm curious to know how you
    were able to view, in plaintext, ssh and https data. Surely the whole
    point of these protocols is to prevent passwords and confidential data
    from being tapped in the way you've described.

    I would have thought that only the encrypted transmissions would be
    captured, and as they're encrypted, no useful information could be gleaned
    from them.

    Whilst I acknowledge that nothing is 100% secure, I thought the
    aforementioned protocols were only vulnerable to such things as keyloggers
    installed on the host sending out the data.

    I apologise if I've misread and misunderstood your post. But my
    understanding of these protocols is going to have to be reviewed if what
    you say is correct. Damn, more reading. :)

    Regards,

    Pete.
     
    Pete, Dec 3, 2004
    #4
  5. Joe Hanes

    donnie Guest

    On Fri, 03 Dec 2004 05:02:10 GMT, nemo (nemo outis)
    wrote:

    >And, as the next step, you can depend on turning off ARP, the
    >protocol/network stack, ports, etc. (but many stacks are badly
    >implemented and will respond to some things that they
    >shouldn't.). Trying to solve in software what is really a
    >hardware problem is fraught with risk - no, there are better ways
    >to sniff silently.
    >
    >So, to counter good anti-sniffing, you want a TRULY passive
    >sniffer, one that listens only and transmits NOTHING. Used to be
    >easier in the old days, but it's a bit harder now since
    >everything has gone RJ45 - the heartbeat is multiplexed on the
    >pins, etc. (The old days just needed a NIC with an AUI connector
    >instead/additional to the RJ45 one and one AUI transceiver. But
    >AUI nicks are scarce these days - although I have and use one!)
    >
    >So here's what you do instead. Go buy (or find in the clearance
    >bin or a second hand electronics store) two old AUI transceivers
    >(AUI by RJ45) and connect them back to back on the AUI side
    >(you'll need a Fx F cable, or if you're lucky like me, you'll
    >find and use a Fx F mini_D two-sided connector). Put a regular
    >twisted pair cable on each side of the AUI to AUI device you just
    >made and that's the overall cable you use to sniff (one end in
    >your RJ45 NIC, the other in the RJ45 wall plug going to the hub).
    >
    >Here's the trick: on one of the AUIs cut off the 3 and 10 pins (I
    >think - I'd have to look at a pinout diagram). Voila, no more
    >transmit - utterly silent & listen only.
    >
    >You can go further if you wish (but it's almost never necessary)
    >in case the sysadmin is a super paranoid who has matched MACs to
    >hub ports and wonders why there's suddenly an extra port being
    >used. But I'll leave that for another day.
    >
    >Use the sniffer software of your choice in conjunction with my
    >silent hardware sniffing cable.

    #####################
    That was excellent information.
    donnie
     
    donnie, Dec 4, 2004
    #5
  6. Joe Hanes

    nemo outis Guest

    In article <>, wrote:
    >On Fri, 03 Dec 2004 05:02:10 GMT, nemo (nemo outis)

    ...
    >>Use the sniffer software of your choice in conjunction with my
    >>silent hardware sniffing cable.

    >#####################
    >That was excellent information.
    >donnie


    Thanks.

    There was someone mouthing off the other day about how this group
    should be closed and available only to white hats, etc.

    Aside from the fact that the white hats aren't nearly so white,
    nor the blacks hats so black, as he thinks, he misses a key point
    that Sun Tzu could have told him 2400 years ago: Learn the other
    sides capabilities and methods.

    Regards,
     
    nemo outis, Dec 4, 2004
    #6
  7. Joe Hanes

    cacophony Guest

    Joe Hanes wrote:

    > Hi,
    >
    > I have tested a tool called cain (Cain and Abel). With tool, I could
    > launch man in the middle attacks within seconds. I tested it in a lan,
    > university lan to be specific. With ease, I could link myself between my
    > victims computer and the switch. Furthermore, I was able to log every
    > piece of data that was being sent from my victims computer. Even https
    > and ssh connections were readable in plaintext.
    >
    > Question:
    > I am surprised, that it has become so easy to do such things. Are there
    > any countermeasures? Since I don't want everyone at the university to
    > see my passwords.
    >
    > Cheers
    >
    > Joe


    IIRC, ettercap has a plugin for detecting an ARP cache poisoning attack.
     
    cacophony, Dec 4, 2004
    #7
  8. Joe Hanes

    donnie Guest

    On Sat, 04 Dec 2004 06:44:55 GMT, nemo (nemo outis)
    wrote:

    >>That was excellent information.
    >>donnie

    >
    >Thanks.
    >
    >There was someone mouthing off the other day about how this group
    >should be closed and available only to white hats, etc.
    >
    >Aside from the fact that the white hats aren't nearly so white,
    >nor the blacks hats so black, as he thinks, he misses a key point
    >that Sun Tzu could have told him 2400 years ago: Learn the other
    >sides capabilities and methods.
    >
    >Regards,

    #########################
    It's good to see that someone else knows about Sun Tzu and what he
    taught about knowing yourself and knowing the enemy. Both are needed
    to win.
    There was also a guy named Lao Tzu. I'm sure there was no relation.
    One of his quotes is 'Be as careful at the end as you were at the
    beginning."
    I was working w/ a carpenter building a deck. There was a glass table
    there and I wanted to cut latice on it but my boss told me that it
    might break and to cut it somewhere else. Towards the end of the day,
    he said that he was getting tired of the job as it was the eitgth day.
    I quoted the above quote by Lao Tzu and he asked, "Who is he, some
    chinc?" A short time later he threw a piece of wood towards the scrap
    pile and it went right through the glass table.
    donnie
     
    donnie, Dec 4, 2004
    #8
  9. Joe Hanes

    nemo outis Guest

    In article <>, wrote:
    >On Sat, 04 Dec 2004 06:44:55 GMT, nemo (nemo outis)
    >wrote:
    >
    >>>That was excellent information.
    >>>donnie

    >>
    >>Thanks.
    >>
    >>There was someone mouthing off the other day about how this group
    >>should be closed and available only to white hats, etc.
    >>
    >>Aside from the fact that the white hats aren't nearly so white,
    >>nor the blacks hats so black, as he thinks, he misses a key point
    >>that Sun Tzu could have told him 2400 years ago: Learn the other
    >>sides capabilities and methods.
    >>
    >>Regards,

    >#########################
    >It's good to see that someone else knows about Sun Tzu and what he
    >taught about knowing yourself and knowing the enemy. Both are needed
    >to win.
    >There was also a guy named Lao Tzu. I'm sure there was no relation.
    >One of his quotes is 'Be as careful at the end as you were at the
    >beginning."
    >I was working w/ a carpenter building a deck. There was a glass table
    >there and I wanted to cut latice on it but my boss told me that it
    >might break and to cut it somewhere else. Towards the end of the day,
    >he said that he was getting tired of the job as it was the eitgth day.
    >I quoted the above quote by Lao Tzu and he asked, "Who is he, some
    >chinc?" A short time later he threw a piece of wood towards the scrap
    >pile and it went right through the glass table.
    >donnie



    Good point.
     
    nemo outis, Dec 5, 2004
    #9
  10. Joe Hanes

    winged Guest

    SSL has had a weak point first identified in 2002 (if memory serves)
    where if one is in the middle of the transaction the negotiated keys can
    readily be intercepted and with the appropriate software observe the
    data in real time, logging the session is no issue. Here is an article
    published in the time frame on the vulnerability.

    http://www.ems-global.com/view.asp?webpage=3256

    Somehow everyone has forgotten this vulnerability because we all made
    our SSL 128 bit and that fixed everything. Wrong answer, as you guessed
    it, the keys are still negotiated. Any encryption scheme that uses
    negotiated keys is vulnerable to man in the middle as well as sniffed
    sessions that can be readily decrypted. The only secure key is one
    where the key is private at both ends and a suitable encryption scheme
    is implemented There are several public/private key schemes that are
    very difficult to intercept and decipher but SSL has its issues.
    Hopefully one has the appropriate IDS tools on their network that can
    detect an ARP attack. But if I am sniffing your gateway the session
    "can" be observed (alternate to ARP attack).

    Tools like "Cain" will allow you to view SSL Data. Properly implemented
    ssh (where keys are private at both ends and not negotiated) is
    impervious. Negotiated keys are vulnerable as the Cain tool intercepts
    the negotiated key data as man in the middle (ARP attack). Additionally
    there is an ssh vulnerability (multiple vendors) that was in todays cert
    advisory, that might be of interest to some here:

    http://www.us-cert.gov/cas/bulletins/SB04-343.html#openssh

    I highly recommend anyone interested in computer security subscribe to
    the CERT technical advisories, it is a wealth of information no matter
    what color your hat.

    To subscribe to the weekly technical cyber security advisories:
    http://www.us-cert.gov/cas/signup.html They are usually very
    informative on the various potential compromise exploits. While I have
    seen things they miss, they are a very good source of information.

    Winged





    Pete wrote:
    > On Thu, 02 Dec 2004 13:42:24 +0100, Joe Hanes wrote:
    >
    >
    >>Furthermore, I was able to log every
    >>piece of data that was being sent from my victims computer. Even https
    >>and ssh connections were readable in plaintext.

    >
    >
    > Sorry for not answering your question, but I'm curious to know how you
    > were able to view, in plaintext, ssh and https data. Surely the whole
    > point of these protocols is to prevent passwords and confidential data
    > from being tapped in the way you've described.
    >
    > I would have thought that only the encrypted transmissions would be
    > captured, and as they're encrypted, no useful information could be gleaned
    > from them.
    >
    > Whilst I acknowledge that nothing is 100% secure, I thought the
    > aforementioned protocols were only vulnerable to such things as keyloggers
    > installed on the host sending out the data.
    >
    > I apologise if I've misread and misunderstood your post. But my
    > understanding of these protocols is going to have to be reviewed if what
    > you say is correct. Damn, more reading. :)
    >
    > Regards,
    >
    > Pete.
     
    winged, Dec 9, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Trendkill
    Replies:
    7
    Views:
    1,400
  2. News Reader
    Replies:
    0
    Views:
    500
    News Reader
    Apr 9, 2008
  3. Paul Matthews
    Replies:
    0
    Views:
    490
    Paul Matthews
    Apr 9, 2008
  4. News Reader
    Replies:
    0
    Views:
    552
    News Reader
    Apr 10, 2008
  5. Replies:
    0
    Views:
    409
Loading...

Share This Page