ARP Poisoning

Protecting your Linux box

Postby securitykid » Mon Dec 15, 2008 2:54 pm

Osama,

at the client end just a VPN Connection to the setup linux box(one time job):

see this for details

http://compnetworking.about.com/od/wind ... onnect.htm

Thanks
SecurityKID-ITdotCOM
Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Postby mudasir » Mon Dec 15, 2008 11:28 pm

AOA,

Dear Friends,

I read allot about VPN and PPPoE when i was facing this issue. I came to know that even VPN can be affected with this as it is IP based. PPPoE has less chance to get affected, as it is MAC Address based.

If you use IPSEC or L2TP in VPN then you have less chances to get affected.

The only drawback that PPPoE has for Cable Net Operators is the Dialer. For a normal client creating a PPPoE Dialer is a bit difficult, for that i created a simple software in VB that creates a PPPoE Dialer for Client, but right now its only working in XP.

I started this post when i faced some serious issues regarding ARP Poisoning. As the issue is client side i figured out that i can not setup a server side solution untill i switch to some other authentication method like PPPoE or VPN. Then i created an application in VB that works at client side and resolves the issue 100%.

Now i have heard that some Local ISP's are facing issues regarding DNS Injecting and a bogus DHCP. This can also be resolved as i have recently given a complete solution to a friend of mine in Lahore.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby securitykid » Tue Dec 16, 2008 10:21 am

Buddy,

What Technically is your solution?
Does PPoE can eliminate the clear text over wire? For me it works on MAC trust, hmmmm let me see

by the way did you tested my solution as of now?

Anyway if anyone wants I can implement it as POC

Thanks
SecurityKID-ITdotCOM

Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Postby mudasir » Tue Dec 16, 2008 5:02 pm

AOA,

I implemented VPN (PPTP) some time back on Linux, but i faced the same problem regarding ARP, however it was much less then normal.

Let me clarify something, the type of ARP attack was faced by the cable net operators is not a MiM (Man in the Middle) attack.

The attack was very different. The MAC address of the server at client's arp cache was changing rapidly from one MAC to other.

Regarding manageable switches, its a bit expensive for a network that has about 100 to 1000 switches.

I am not saying that VPN is not a good solution, it is one the solutions for such kinds of attacks provided that VPN is configured properly to use encryption. For windows clients MPPE (Microsoft Point-to-Point Encryption) is used.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby securitykid » Wed Dec 17, 2008 10:38 am

I have question what is the purpose of this ARP Attack?
Do you think its only to make a fuss?

Buddy,

Please don't think I am trying to test anything here, I am trying to learn something new ;)

Thanks
SecurityKID-ITdotCOM

Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Postby osama » Wed Dec 17, 2008 5:45 pm

ARP attack is sometimes a simply Denial of service(DoS) attack.

A buddy can use ARP attack to accomplish Man in the middle attack. If its the case then he can get your passwords u enter in browser (under http) or chatting softwares or any other usefull information u send on network.
osama
Havaldaar
 
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Postby securitykid » Wed Dec 17, 2008 6:24 pm

Correct!

Having said that, if you ask me I can even get the password and/or content even over HTTPS, POPS, IMAPS, etc..... ;)

Finger Crossed ;)

Thanks
SecurityKID-ITdotCOM

Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Postby osama » Wed Dec 17, 2008 6:35 pm

Well, If u r working on a network then u must be having an ip and mac. Arp poisoning and ARP attack will simply disrupt communication in any case unless someone use layer 2 switches. If using PPPoe or VPN no one can use Man in the middle attack and get sencitive information as information is encrypted and have a password but Arp poisoning (in the form of DoS) will continue so some fluctuation will be there. So simply static entries of MAC addresses at server and client is the solution.
I have not used PPPoE yet so i m not sure about it but I think network will not work if MAC address becomes encrypted. so attack will be always there but can be minimized with PPPoE and VPN or some other encryption.
osama
Havaldaar
 
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Postby securitykid » Wed Dec 17, 2008 6:38 pm

and that's all what you can get FREE isn't it ;)
SecurityKID-ITdotCOM

Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Postby osama » Wed Dec 17, 2008 6:39 pm

I know any information can be decrypted.

can u teach me :P
osama
Havaldaar
 
Posts: 117
Joined: Fri Aug 22, 2008 9:08 am

Postby securitykid » Wed Dec 17, 2008 7:22 pm

decrypted yes if you super computer :D, you can get it actually before it gets encrypted, I don't know much still a security kid :D

Thanks
SecurityKID-ITdotCOM

Security Every Where! BUT where? :)
securitykid
Naik
 
Posts: 70
Joined: Sat Oct 20, 2007 5:18 am

Postby mudasir » Wed Dec 17, 2008 7:51 pm

You both are correct, with ARP attack one can get information going over a network. Which i use to do about 5 years back :D .

However as i said earlier the type of ARP attack faced by some cable net operators was a bit different, it was not someone intending to do a MiM attack, a bogus MAC or many bogus MAC addresses were replacing server's MAC on client's ARP cache.

I started this threat to over come this issue, which i later came to know can be minimized by using PPPoE or VPN. I still use simple DHCP based network with no VPN or PPPoE, and still my network is not in any way affected with ARP attack. What i did, i created a simple application in VB (Visual Basic) and installed it at all my clients PC's.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby x2oxen » Sat Dec 20, 2008 1:47 pm

what your application do mudassir? is that just do a static arp entry for server address or that do something else as well?
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Postby mudasir » Sat Dec 20, 2008 3:40 pm

AOA,

The application i created performs some steps to make sure client's ARP cache is proper as per the network. One of the steps is to make static ARP entry.

The software has some extra features also, however right now i only have XP compatible version of it and working with VISTA compatible version.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby x2oxen » Fri Dec 26, 2008 12:05 pm

why don't you use some C skills in it and make it compatible with all platforms including windows and linux. talk to me in pm might be possible i will be able to help you out in that.
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron