ARP ADDRESS REVERSE PROTOCOL

THE arp cache can be risky here is why:

lan or wireless users are at risk, tools an knowhow can be used 2 posion the cache
by adding the ip address OF the hacker to the cache this address is
normal faked and is easyly done what it does is redirects your traffic
past a hackers pc or server which is normaly filled with explots like
the ability to see past encyption ssl ssh an so on, an can be very
dodgy for internet bankers , its bit like dns hijacking arp has the
ability to to redirect you to phish sites ,download scripts to u an so on
,hackers using these tackits tent to be on non windows computers but not always
here is what you can do about it first use ids intrusion detection system
sax2 is alright eset smart security 4 is good but may need configeration
now go to start then run type cmd or (command prompt) type arp -a to see the
entrys
for xp users and arp -d to delete the entrys or arp -d * to delete wild card
entrys
or arp -an to see the arp tables for vista users right click cmd and run as
administrator
anti arp 6 is good or arp watch . Here is Technology, Virtualization and Cloud
Computing
in the Web Hosting Worlds view on this matter:

Home > Security > Detect ARP poisoning on LAN

Detect ARP poisoning on LAN
May 1st, 2009
Goto comments Leave a comment

ARP Poisoning : Potential MITM attack

Occasionally during security audits it may be necessary to check your LAN for
rogue machines. All the potential rogue machine in your LAN needs to do is poison
your ARP cache so that the cache thinks that the attacker is the router or the
destination machine. Then all packets to that machine will go through the rogue
machine, and it will be, from the network�s standpoint, between the client and the
server, even though technically it�s just sitting next to them. This is actually
fairly simple to do, and is also fairly easy to detect as a result.

In this sample case, the rogue machine was in a different room but still on the
same subnet. Through simple ARP poisoning it convinced the router that it was our
server, and convinced the server that it was the router. It then had an enjoyable
time functioning as both a password sniffer and a router for unsupported
protocols.

By simply pinging all the local machines (nmap -sP 192.168.1.0/24 will do this
quickly) and then checking the ARP table (arp -an) for duplicates, you can detect
ARP poisoning quite quickly.

$ arp -an| awk '{print $4}'| sort | uniq -c | grep -v ' 1 '
5 F8:F0:11:15:34:51
88

Then I simply looked at the IP addresses used by that ethernet address in �arp
-an� output, ignoring those that were blatantly poisoned (such as the router) and
looked up the remaining address in DNS to see which machine it was.
Below is a script I wrote to automate this process (perhaps in a cron job) , and
send out an alert email if any ARP poisoning is detected.

ARP Poisoning Check Script

This can ideally run as a cronjob (i.e. 30 * * * *)

#!/bin/sh
# Star Dot Hosting
# detect arp poisoning on LAN

currentmonth=`date "+%Y-%m-%d %H:%M:%S"`

logpath="/var/log"

rm $logpath/arpwatch.log

echo "ARP Poisoning Audit: " $currentmonth >> $logpath/arpwatch.log

echo -e "-----------------------------------------" >> $logpath/arpwatch.log
echo -e >> $logpath/arpwatch.log

arp -an | awk '{print $4}' | sort | uniq -c | grep -v ' 1 '

if [ "$?" -eq 0 ]
then
arp -an | awk '{print $4}' | sort | uniq -c | grep -v ' 1 ' >>
$logpath/arpwatch.log 2>&1
cat $logpath/arpwatch.log | mail -s 'Potential ARP Poisoning ALERT!'
your@email.com
else
echo -e "No potential ARP poisoning instances found..." >> $logpath/arpwatch.log
fi

Simple!

* Digg
* Twitter
* Reddit
* Delicious
* Share/Save

Author: admin Categories: Security Tags:

Comments (1) Trackbacks (0) Leave a comment Trackback

1.
n3tm@n
May 1st, 2009 at 12:53 | #1
Reply | Quote

pretty snazzy!

1. No trackbacks yet.

Name (required)
E-Mail (will not be published) (required)
Website
Subscribe to comments feed
MySQL Replication : Setting up a Simple Master / Slave Log compression Bash script
RSS feed
 * Google
* Youdao
* Xian Guo
* Zhua Xia
* My Yahoo!
* newsgator
* Bloglines
* iNezha

RSS Security Focus

* Vuln: Multiple Mr. CGI Guy Products Cookie Authentication Bypass

Vulnerability
* Vuln: Apple Mac OS X CFNetwork 'Set-Cookie' Headers Information Disclosure
Vulnerability
* Vuln: RETIRED: Apple Mac OS X 2009-002 Multiple Security Vulnerabilities
* Vuln: Bitweaver Multiple Input Validation Vulnerabilities
* Bugtraq: Re: Insufficient Authentication vulnerability in Asus notebook
* Bugtraq: RE: Insufficient Authentication vulnerability in Asus notebook
* Bugtraq: RE: Insufficient Authentication vulnerability in Asus notebook
* Bugtraq: Re: Insufficient Authentication vulnerability in Asus notebook
* More rss feeds from SecurityFocus

RSS FreeBSD Security Advisories

* FreeBSD-SA-09:08.openssl
* FreeBSD-SA-09:07.libc
* FreeBSD-SA-09:06.ktimer
* FreeBSD-SA-09:05.telnetd
* FreeBSD-SA-09:04.bind
* FreeBSD-SA-09:03.ntpd
* FreeBSD-SA-09:02.openssl
* FreeBSD-SA-09:01.lukemftpd
* FreeBSD-SA-08:13.protosw
* FreeBSD-SA-08:12.ftpd

RSS Digg

* The 16 Most Horrific Human Growths of All Time (Photos)

* Controversy over explicit Happy Meal CD
* Marijuana Potency Surpasses 10 percent, U.S. Says
* Shaq admits to taking performance-enhancing cereals
* Hate Goes Viral On Social Network Sites
* The Evolution of TV Cooking...Yes it is Interesting
* 5 New Games That Prove Nintendo Has Given Up
* How Big Is the New Enterprise Compared to Galactica?
* Socially Dysfunctional People in My Neighborhood (PIC)
* Bacteria Vs. Saharan Desertification

RSS Reddit

* Reddit, this is my cousin Se�n, he's missing in Australia, if anyone has

seen or heard anything about him could you please help us out?
* Remember the guy who tried to get the source code for the breathalizer
software in his DWI case? He got the code analyzed and it turns out it's a piece
of junk.
* Owned by Cactus!
 * Seymour Hersh: Children raped on camera in front of women at Abu Ghraib. How
bad are these photos?
* Awwwwwwww of the day! Baby pigs react to noise! Cute and funny!
* Abiogenesis - RNA spontaneously forms in laboratory experiment. News at 11.
* Molecule of life emerges from laboratory slime - Creationists: D'OH!
* Polar Bear Attack (NSFW)
* I was murdered by president Alvaro Colom
* Reddit, give me your best tips for living cheaply!

RSS Slashdot

* GPS Accuracy Could Start Dropping In 2010

* Apple Hires Former OLPC Security Director
* What Can I Do About Book Pirates?
* MySQL Founder Starts Open Database Alliance, Plans Refactoring
* Court Orders Breathalyzer Code Opened, Reveals Mess
* Study Shows Cocaine And Other Drugs In Spanish Air
* Confirmed Gmail / Google App Outage
* NY Bill Proposes Fat Tax On Games, DVDs, Junk Food
* Gamepark Releases the GP2X Wiz
* Successful Launch of ESA's Herschel and Planck

Twitter

1. Linux Virtual Private Servers are perfect for web developers

http://bit.ly/KOftS (1 day ago)
2. Easy step-by-step tutorial to repair damaged MySQL tables :
http://bit.ly/aqhd7 :) (2 days ago)
3. Get more control of your website with Linux VPS Hosting! http://bit.ly/KOftS
(3 days ago)
4. Ammmazing linux vps plans!!!!1111one : http://bit.ly/6GRmC (6 days ago)
5. too much rain :< (7 days ago)

Categories

* Database
* FreeBSD
* Linux
* Security
* Shell Scripting
* Uncategorized

Archives

* May 2009
* April 2009