Documente Academic
Documente Profesional
Documente Cultură
lan or wireless users are at risk, tools an knowhow can be used 2 posion the cache
by adding the ip address OF the hacker to the cache this address is
normal faked and is easyly done what it does is redirects your traffic
past a hackers pc or server which is normaly filled with explots like
the ability to see past encyption ssl ssh an so on, an can be very
dodgy for internet bankers , its bit like dns hijacking arp has the
ability to to redirect you to phish sites ,download scripts to u an so on
,hackers using these tackits tent to be on non windows computers but not always
here is what you can do about it first use ids intrusion detection system
sax2 is alright eset smart security 4 is good but may need configeration
now go to start then run type cmd or (command prompt) type arp -a to see the
entrys
for xp users and arp -d to delete the entrys or arp -d * to delete wild card
entrys
or arp -an to see the arp tables for vista users right click cmd and run as
administrator
anti arp 6 is good or arp watch . Here is Technology, Virtualization and Cloud
Computing
in the Web Hosting Worlds view on this matter:
Occasionally during security audits it may be necessary to check your LAN for
rogue machines. All the potential rogue machine in your LAN needs to do is poison
your ARP cache so that the cache thinks that the attacker is the router or the
destination machine. Then all packets to that machine will go through the rogue
machine, and it will be, from the network�s standpoint, between the client and the
server, even though technically it�s just sitting next to them. This is actually
fairly simple to do, and is also fairly easy to detect as a result.
In this sample case, the rogue machine was in a different room but still on the
same subnet. Through simple ARP poisoning it convinced the router that it was our
server, and convinced the server that it was the router. It then had an enjoyable
time functioning as both a password sniffer and a router for unsupported
protocols.
By simply pinging all the local machines (nmap -sP 192.168.1.0/24 will do this
quickly) and then checking the ARP table (arp -an) for duplicates, you can detect
ARP poisoning quite quickly.
$ arp -an| awk '{print $4}'| sort | uniq -c | grep -v ' 1 '
5 F8:F0:11:15:34:51
88
Then I simply looked at the IP addresses used by that ethernet address in �arp
-an� output, ignoring those that were blatantly poisoned (such as the router) and
looked up the remaining address in DNS to see which machine it was.
Below is a script I wrote to automate this process (perhaps in a cron job) , and
send out an alert email if any ARP poisoning is detected.
#!/bin/sh
# Star Dot Hosting
# detect arp poisoning on LAN
rm $logpath/arpwatch.log
arp -an | awk '{print $4}' | sort | uniq -c | grep -v ' 1 '
if [ "$?" -eq 0 ]
then
arp -an | awk '{print $4}' | sort | uniq -c | grep -v ' 1 ' >>
$logpath/arpwatch.log 2>&1
cat $logpath/arpwatch.log | mail -s 'Potential ARP Poisoning ALERT!'
your@email.com
else
echo -e "No potential ARP poisoning instances found..." >> $logpath/arpwatch.log
fi
Simple!
* Digg
* Twitter
* Reddit
* Delicious
* Share/Save
1.
n3tm@n
May 1st, 2009 at 12:53 | #1
Reply | Quote
pretty snazzy!
1. No trackbacks yet.
Name (required)
E-Mail (will not be published) (required)
Website
Subscribe to comments feed
MySQL Replication : Setting up a Simple Master / Slave Log compression Bash script
RSS feed
* Google
* Youdao
* Xian Guo
* Zhua Xia
* My Yahoo!
* newsgator
* Bloglines
* iNezha
* FreeBSD-SA-09:08.openssl
* FreeBSD-SA-09:07.libc
* FreeBSD-SA-09:06.ktimer
* FreeBSD-SA-09:05.telnetd
* FreeBSD-SA-09:04.bind
* FreeBSD-SA-09:03.ntpd
* FreeBSD-SA-09:02.openssl
* FreeBSD-SA-09:01.lukemftpd
* FreeBSD-SA-08:13.protosw
* FreeBSD-SA-08:12.ftpd
RSS Digg
RSS Reddit
RSS Slashdot
Categories
* Database
* FreeBSD
* Linux
* Security
* Shell Scripting
* Uncategorized
Archives
* May 2009
* April 2009