ARP Poisoning (was Re: [Sussex] Tight File Server)

Andy Smith andy at lug.org.uk
Fri Jul 13 04:29:10 UTC 2007 

Hi Nico,

On Fri, Jul 13, 2007 at 04:38:37AM +0100, Nico Kadel-Garcia wrote:
> Andy Smith wrote:
> >Without transport layer encryption (e.g. SSL, SSH, TLS etc.) any
> >machine on the LAN can snoop on any other machine on the LAN.
> >Perhaps that is not an issue if everyone on the LAN is to be able to
> >read everything on the fileserver, but also think about any visitors
> >to the office who may wish to plug in their laptops or join the
> >netork via wifi on their phones.
> >  
> ??? In order for "any" machine to snoop on "any" machine, it has to see 
> the packets, by being on a hub, by cleverly reprogramming hte 
> upswitches, or by being a man in the middle.

ARP poisoning can make you man in the middle even on a switched
network; "port security" (a feature on managed switches that allows
you to lock a port to one MAC address) does not help because the
attacker does not lie about their MAC, they lie about their IP.

For example, Alice is on 10.100.1.2, and Bob is on 10.100.1.3, both
on a switched network.  Alice's MAC address is 00:11:22:33:44:55 and
Bob's is 00:11:22:66:77:88.

The switch they're both connected to only sends packets for Alice
down the port where 00:11:22:33:44:55 can be found, and sends
packets for Bob down the port where 00:11:22:66:77:88 can be found,
so normaly even if their machines' network interfaces are put in
promiscuous mode they do not see packets for each other.

Bob being evil though, sends out a fake ARP reply that says that
10.100.1.2 can be found at 00:11:22:66:77:88.  For every packet Bob
sees that was directed at 00:11:22:33:44:55 Bob's machine then
retransmits to 00:11:22:33:44:55.  As far as 00:11:22:33:44:55 is
concerned nothing has gone wrong since it is still seeing traffic it
expects to see.  Bob gets to eavesdrop on this traffic for as long
as is desired.

ettercap is an example of a widely-available tool that turns ARP
poisoning into a point and click process.  If you are on an Ethernet
LAN any host on that LAN can eavesdrop on your packets, this is an
inherent flaw of Ethernet.  It's why it is a good idea to put
different security groups on different routed networks (likely using
VLANs to reduce the number of routers required), e.g. don't put your
wifi access point directly on your LAN otherwise people on the
street who get onto it can sniff all your LAN as well.

Cheers,
Andy

-- 
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20070713/b51ed7b0/attachment.pgp

More information about the Sussex mailing list