Re: ARP Poisoning

Well,

        One easy way to ID this is to monitor for the ARP broadcast, or check for hosts doing this broadcast. For example... when using ettercap (one of those nice arp tools) ot does:

Building host list for netmask 255.255.255.0, please wait... Sending 7 ARP request... <--- You can detect this.

Another thing that you can do is to run checks for other systems doing arp poisoning, ettercap offers this feature as well:

[cC] - check for other poisoner...

So, one way to defend against this sniffing is to check for these poisoners every X minutes and notify the admin IF such a thing happens.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

[Cerebrum Gateway]
<gawd># ettercap -c -N

ettercap 0.6.7 (c) 2002 ALoR & NaGA

Your IP: xxx.xxx.xxx.xxx with MAC: 00:10:4B:C8:2A:4E on Iface: de0 Building host list for netmask 255.255.255.0, please wait...

Sending 7 ARP request...

• |==================================================>| 100.00 %

Resolving 5 hostnames...

• |==================================================>| 100.00 %

Checking for poisoners...

 MAC of xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx are identical !

you got a poisoner!!! =o)

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

On Wed, 2002-11-06 at 23:27, Michael Ungar wrote:
> >From security books I've read it's not hard to

-- 

-ATD-
http://www.snosoft.com
-------------------------------------------------------------
Secure Network Operations |     Strategic Reconnaissance Team
Cerebrum Project	  |	cerebrum@snosoft.com
-------------------------------------------------------------