ARP Poisoning

Protecting your Linux box
arman.anwar
Cadet
Posts: 8
Joined: Thu Jun 28, 2007 4:06 pm
Location: Karachi

ARP Poisoning

Post by arman.anwar »

Hey securitykid, y u hiding ur solution . Plzzz bring it here it will help the mankind.
arman.anwar
Cadet
Posts: 8
Joined: Thu Jun 28, 2007 4:06 pm
Location: Karachi

ARP Poisoning

Post by arman.anwar »

Hey securitykid, y u hiding ur solution . Plzzz bring it here it will help the mankind.
nasacis
Battalion Havaldaar Major
Posts: 269
Joined: Sat Dec 13, 2003 3:58 pm
Location: Faisalabad
Contact:

Post by nasacis »

it's called MAC spoofing and you can solve this problem to implement Layer 2 switches (if you can't affoard) then you have to implement PPPoE server on your network and it will resolve your issue.

I also search on this issue but i did not see any soluton on net and still search the solution of this problem
i will let you known when i get fix it !!!! INSHALLAH

regards
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

i think you mean layer 3 switches.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
nasacis
Battalion Havaldaar Major
Posts: 269
Joined: Sat Dec 13, 2003 3:58 pm
Location: Faisalabad
Contact:

Post by nasacis »

not Layer 3 switches
i am talking about managable Layer 2 switches (catalyst 2900 sereies)
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
arman.anwar
Cadet
Posts: 8
Joined: Thu Jun 28, 2007 4:06 pm
Location: Karachi

Post by arman.anwar »

The solution i used for this problem is that I use static ARPs and use arping command to bring ARP traffic down to zero. So no poisoning in my network. Without arping static arp is somewhat useless.
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

I started this post becasue i was facinf allot of trouble becasue of this ARP issue, and i have solved my problem long time ago by creating a custom software for my self.

The performance of this software is like 100%, and is tested by many others.

If any one wants i can provide you this software for a COST...

Its easy...
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Post by kbukhari »

mudasir wrote:AOA,
If any one wants i can provide you this software for a COST...
If i want this software then how much i need to pay you? ;)
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Kashif bhai kyo sharminda kar rahay hain... :oops:

AP to ustaadon may say hain mray
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear PLUCian's,
Salam,

I think you guys need to read this document.

FYI, http://www.watchguard.com/infocenter/ed ... 135324.asp

Best Regards.
Farrukh Ahmed
arman.anwar
Cadet
Posts: 8
Joined: Thu Jun 28, 2007 4:06 pm
Location: Karachi

Post by arman.anwar »

Actually this problem is inherent within this protocol. There can be workarounds but actual problem is there unless we install some level 2 switches as mentioned before. Otherwise only LAN card drivers can permanently remove this problem but then these should be updated on every client PC as well and of course for all types/companies. I used static ARP scripts and following in crontab.

* * * * * /sbin/arping -q -c 60 -A -I eth0 192.168.1.1

This command broadcasts a packet in network each second telling linux box NIC MAC and updates every client’s ARP cache. Doing this clients cache have at least corrected server MAC so communicates with server uninterrupted. Server already has static entry of client’s MAC.

Innitially I tried to find infected PCs/hackers in LAN and used diff. tools but then gave up. If there is software other then LAN card drivers then that software must work like Arping command does.
compucated
Naik
Posts: 75
Joined: Mon Oct 13, 2003 5:06 am
Location: Karachi, Pakistan
Contact:

Post by compucated »

Well, I am extremely sorry to sound critical but the one looking / claiming to find/develop single side solution to prevent ARP poisoning is either not read throughly about how Address Resolution Protocol/ARP Poisoning works or not understood them for some reasons.

ImageImageImage

On an Ethernet / IP network when Host-A wants to send a packet to Host-B it needs to know the Host-B
MAC address (MAC-B) in order to communicate. Host-A will ask for MAC-B with an ARP request packet sent
in broadcast (FFFFFFFFFFFF). Only the machine with the specified IP address (Host-B) will answer to this
request with an ARP Reply packet sent back in unicast directly to the Host-A MAC address (MAC-A). At this
point Host-A will send IP packets with destination IP-B using MAC-B as destination address in the Ethernet
frame. ARP Request and Reply packets are sent only if the Host does't know the MAC address of the target
machine; once learned the ARP Cache will be used.

Example: (Host-A wants to talk to Host-B)
1) Host-A->Check the ARP cache if IP-B/MAC-B mapping exist
2) Host-A->ARP Request - What is the MAC address associated with IP-B?
3) Host-B->ARP Reply - My MAC address is MAC-B and my ip address IP-B
4) Host-A->Update the ARP Cache and sends packets to IP-B using MAC-B

Just want to to explain how arp poisoning works but not in details as there are enough information available online.

I am using nemis [http://nemesis.sourceforge.net/] here

Attacker: 10.0.0.100 FFFFFFFFFF03
Victim: 10.0.0.10 FFFFFFFFFF02
Gateway: 10.0.0.1 FFFFFFFFFF01

CASE 1: Attacker want to keep the victims (clients) from gaining gateway access.
Attacker send a crafted packet to victims with wrong hardware address of gateway.

nemesis arp -S 10.0.0.1 -D 10.0.0.1 -H FFFFFFFFFF03 -h FFFFFFFFFF03

This will broadcast an arp "who-has" packet on the network and every machine will happily update their arp tables, with your new entry for the ip 10.0.0.1 and the mac address of FFFFFFFFFF03
(What the gateway side mechanism can do with this, where two machines talking to each other directly, unless there is some solutions exists at victim's machine, or in such managed switch term. the very simple solution is "static arp" drop the request I already know who is 10.0.0.1, thank you!)

CASE 2: Attacker want to cut off communication to victim (client)
nemesis arp -S 10.0.0.10 -D 10.0.0.10 -H FFFFFFFFFF02 -h FFFFFFFFFF02
(Again!, surely you know what happen with it now!, unless the machines received that packet have some prevention, their arp cache table will get poisoned.)

ARP is a stateless protocol, it is not designed to allow for any ID validation on the transaction.
ARP i.e., a reply may be processed even though the corresponding request was never received.
When a host receives a reply, it updates the corresponding entry in the cache with the <IP, MAC> pair in the reply.

Significance of this post is ARP have no concern with gateway, similarly not just any single hardware is controlling it by default, (i am talking just about unmanaged switches) so the single side solution is not possible.

Also please note static entries at client side (for gateway) and at gateway for clients just secure some what gateway <---> client data transfer, but not the way between client(s) <---> client(s).

At last I wish I would find some free time, to write more in depth in this regard, which cover more information about analysis techniques and prevention steps.

Anyway for those who have not able to understand these stuffs throughly for any reasons, should follow the steps of static arp entries at both ends.
securitykid
Naik
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Post by securitykid »

Here you go guys, sorry for being lazy not even following the thread & update it.

I will try to explain the solution here that I have tested (couldn't documented) I will try to make a document (if I got time) and post it here.

First of all I like to ask can I attach any file here?

I read all the posts everyone is pointing toward the right direction BUT missing 1 thing: which is THAT there is always 2 sides of fixes:

1) Cure
2) Prevention - (Vaccine)

;) all my terms don't get confused

So thanks of this post everyone now understand ARP Poison or MAC flood which leads to Man in Middle,

everyone knows the Cure but let me just rewrite it:

Manageable Switch: (CURE)

Port Security:

Restrict switch port to allow only one MAC address on 1 Ethernet port, if anyone will try to spoof more then 1 MAC port will be Closed (shut)

Port Protected: (Why this cause I have seen some exploits and/or trojans which actually do the dns poisoning and then use HTTP injection to infect hosts (computers) and then launch other attacks etc.)

Port Protected prevent computer to communicate each other (maynot be suitable for network where heavy use of file and print sharing).

There are couple more solutions but I don't think my friends need them actually :)


Network Admission Control: (Just type this in Google to know more about it ;) saving my type for typing)

Few more solutions (I know I know you are not interested in expensive solutions ;) )

So lets talk about Prevention:

Ask yourself questions what are the problems with such an attack

End-user:

1) MY PRIVACY GOT VIOLATED (BIGGIST CONCERN and yes provider should need to think about it)
2) I AM GETTING INFECTED (C'mon buy the good Antivirus with Firewall capability - Pay some money, how long you will survive only with cracks- why service provider will be asked for questions)
3) I may get hacked (buy a original copy of software it will limit the chances)


Service Provider:

1) My Client's privacy being violated, losing customers (BIGGEST CONCERN)
2) Network Outage / slow (MEDIUM Concern if you are only giving internet services)
3) My systems may get hacked (Play little smart you will not get hacked ask me if you don't know how?)
4) My Privacy / access details can get exploited (BIGGEST CONCERN)


If you noticed your problem is "CLEAR TEXT OVER WIRE", even for end-user and/or provider if somehow we can make this clear text, not clear(encrypted), we can prevent.

So here is the work around is (Solution Providers solution) for end-user solutions I will open another forum case. (Remember its a possible solution) smarties like you guys may still find a way to do man in middle ;)


Setup a Linux Box with (IPTables, PopTOP(PPTP) and/or OpenSWAN(L2TP)), here is how it will work

More about PopTOP : http://www.poptop.org/
More about OpenSwan: http://www.openswan.org/


Configuration a Linux box with 2 NIC Cards & additional virtual interface and put it in between your internet gateway and end-users



Example:

NIC 1 : eth0 vir: eth0:0 NIC 2: eth1
Users <======192.168.1.0/24======> -><- [<===== 192.168.1.1/24 : 10.10.10.1/24 [Linux VPN Box] 10.1.1.2/24====> X [<====10.1.1.1/24 [Internet Gateway] <=====> Internet]

Things to remember:

Linux box should act as router (enable IP Forward)
Configure PPTP to assign IP Address to authenticated clients from IP pool same as virtual interface subnet
use IPTables to limit access to only PPTP Assigned IP Address to pass through
Linux box & Internet gateway should connect using X over cable


By this way you will have end to end encryption & ARP Spoofer will not get what he is looking over a wire "Clear Text", same can be achieved using L2TP, end-user need to dial & required to make a VPN connection with VPN Concentrator ;) in order to get the internet access. Which will 1 way authentication (benefit for you can see how many users are actually connected to internet ;), and how many of them have actually shared their passwords ;) means you can catch free bees + You will have end - end encryption, For Cable provider, yes user still can play network games, share files etc this will not effect at all, so technically they will have 2 IPs after they connect to VPN, 1 IP for local service, other for internet access)

Request:

Cause its a sophisticated setup I would urge Linux gurus here to help people with their questions regarding setting up Linux & software


By the way here is a software which actually works OK for identification not a fix for service provider, but I don’t trust this people cause [Not reputed, Chinese, they ask for CC which I dont trust] http://www.antiarp.com/English/e_index.htm

As I said, I have number of solution for end-user protection against such attacks, I have done successful POC in Hackers Halted, Hackacon(Singapore , Malaysia, Philippines, Middle-East) that I will be documenting in new thread


Let me know if you have problem understanding any part of this long post, I would try to document step by step but no promises as I am really busy now a days with full of hands with projects.
You got the idea, illuminate the clear text (Encryption), & I know you guys are way smarter then me.
Advance Apologies for any type or mistakes
Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
securitykid
Naik
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Post by securitykid »

Guys! I need your feedback on it
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
osama
Havaldaar
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Post by osama »

Can someone explain the data flow for this setup and/or step by step guide for this. What will be required at cleint end for this setup?
Post Reply