Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 14
Guests Online: 11
Members Online: 3

Registered Members: 82810
Newest Member: TheDuke777
Latest Articles
View Thread

HellBound Hackers | Computer General | Networking

Author

ARP Detection and Prevention


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-09-08 15:09
Hmm, I am currently looking at network security on big LANs.
One problem that I am facing is ARP poisoning.

With tools like Wireshark, could you filter out the ARP replay packets?
Is a normal user ment to send ARP replay packets? And are ARP replay packets possible to sniff from the network?

Are there some IDS or something that I can use to see if any ARP poisoning is happening on my network?

If I am controlling the gateway to the internet, are there any applications I can use there as well?


Author

RE: ARP Detection and Prevention


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-09-08 17:06
I think it was mentioned in the previous thread about ARP poisoning, the best protection against it (other than getting S-ARP hardware) is to use a semi-static arp table system, where the server has a static table of macs on the system. This has its drawbacks, but its the best solution for a wired lan.


Author

RE: ARP Detection and Prevention


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-09-08 17:30
Any examples on scripts or anything already made that I can use?
Anything thats recommended by you?

If not, I will google, so dont ask me to.


Author

RE: ARP Detection and Prevention


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-09-08 17:59
Syntaxe wrote:
stuff


Traditional ARP poisoning is different from ARP replay attacks. ARP poisoning would be providing intentionally incorrect information in a user's ARP tables, while ARP replay attacks simply retransmit the same legitimate (usually encrypted) packet in order to generate IVs to break the encryption.

For ARP replay attack just use WPA2 with a strong key and key rotation and let the user waste his time. If the replays begin saturating the AP then you can use several mobile devices to triangulate the source of the replays by using signal strengths.

For ARP poisoning there are several things that can be done.. which depend on the setup of the LAN. For an unencrypted/unauthenticated wifi there is not much you can do.. unless you use sARP or something. For encrypted/authenticated wifi you just need to make sure that your setup is secure enough to not let arbitrary machines easily spoof ARP replies (this can pretty much be guaranteed - as far as we know now - with the most up-to-date encryption and strong encryption keys.)

For a wired LAN you have several options. One quick fix being that you make the ARP tables static. Another being that you make a simple script to continuously query the ARP table for the switch/gateway remotely. (Many of them provide some sort of CLI access).. and then you can detect changes to the ARP table and decide what to do when changes occur. Keeping logs of the queries would also - depending on the setup - let you figure out _who_ tried to hack _who_ .. as they could also list which physical port the changes are associated with.

If you have a non-jailed switch or switches which let your write you own software to run on them.. then you have many more options.. (I don't know of any.. non-jailed switches.. I assume they exist)

Wireshark has display filters which let you view certain types of packets.. you could always add your own display filter if need be (I don't know if Wireshark has a mechanism to easily do this that will suit your scenario). It doesn't act as a firewall.

edit: typo

Edited by on 17-09-08 20:15