Go Back   Computer Forums > General Computing > Networking | DNS
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 11-17-2012, 07:45 AM   #11
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,004
Default Re: How to prevent arpspoof from working

if it's a real concern that there will be people inside your network spoofing mac addresses.

then lock down the ports on your switch to only allow macs on given assigned ports.

if you;re concerned that malicious people will come into your building and plug in a random machine, then deactivate un-used switch ports. (and lock active ports to individual macs.

Another method would be to set a really low threshold for mac flapping. -though you'll have hours of head scratching if you forget about that later.

if you aren't on the same network segment then spoofing macs doesn't really work.

if you don't have a decent managed switch then it's not really possible to prevent.

This is the kind of thing that you can't really investigate at home properly. (or at least not with standard "home" type equipment.
__________________

__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is online now   Reply With Quote
Old 11-18-2012, 03:53 AM   #12
In Runtime
 
Fujitsu_Technician's Avatar
 
Join Date: Sep 2012
Location: UK
Posts: 284
Default Re: How to prevent arpspoof from working

Quote:
Originally Posted by leftybeaver View Post
Its written in Bash. And no its not a Trojan. I only use it to better understand things. I'm not asking for help with how to make a script to hurt other people, I'm asking how to make something to block this from hurting other people.
Thanks yes sorry I am only
Formula with Microsoft windows scripting languages and assembly programing language
but I am always here to help you learn windows stuff as you show great
Enthusiasm to learn well done to you and your mate for coming up with such a script in another language keep at it but I found most people out there teach microsoft and that is enough to learn
Kind Regards
__________________

Fujitsu_Technician is offline   Reply With Quote
Old 11-18-2012, 02:17 PM   #13
Solid State Member
 
Join Date: Nov 2012
Location: USA
Posts: 8
Default Re: How to prevent arpspoof from working

Quote:
Originally Posted by celegorm View Post
Let's start with this for a second to end any fears of security issues to our users:

Preventing ARP-Spoofing is a legitimate network security concern. For most end users it's nothing they need to be concerned about but network admins who have a public-facing network that might have sensitive information transmitted over it (like emails) need to consider this thread for a proper security risk analysis. At any rate, for any ARP-spoofing to occur both the victim and the malicious computer must be connected to the same router so any little script he's written is perfectly safe to the rest of us.

The simple fact that he's written his own script is proof that he's looking to learn. If the intent was to do damage it's a lot quicker to download free linux utilities that do ARP spoofing without you having to code anything.

Lefty:
I did something very similar to this in a network security class I took a year or so ago while I was still in college. I don't remember the specifics but I know you could watch for a large amounts of a particular network packet. I think it was a DHCP IP announcement packet or something similar that flooded the network with a packet that said "I am the real computer with the MAC address of <whatever> so send that traffic to me instead" Eventually, every computer would receive that packet and the router and other local machines would send to you instead of the victim.

I could have the packet type wrong and I could have the MAC/IP part flipped but that's the general idea on how to detect a spoof. From there it's really up to you how you want to kick off, or otherwise block the malicious computer.
First of all, thank you for understanding I am not a malicious coder.

Second, are you saying that to detect someone spoofing the router I would have to determine if the packet was real or fake?

Quote:
Originally Posted by root View Post
if it's a real concern that there will be people inside your network spoofing mac addresses.

then lock down the ports on your switch to only allow macs on given assigned ports.

if you;re concerned that malicious people will come into your building and plug in a random machine, then deactivate un-used switch ports. (and lock active ports to individual macs.

Another method would be to set a really low threshold for mac flapping. -though you'll have hours of head scratching if you forget about that later.

if you aren't on the same network segment then spoofing macs doesn't really work.

if you don't have a decent managed switch then it's not really possible to prevent.

This is the kind of thing that you can't really investigate at home properly. (or at least not with standard "home" type equipment.
How would one manage to only allow a specific MAC address coming in for the router?
leftybeaver is offline   Reply With Quote
Old 11-18-2012, 03:19 PM   #14
Site Team
 
celegorm's Avatar
 
Join Date: Sep 2006
Posts: 10,713
Send a message via AIM to celegorm
Default Re: How to prevent arpspoof from working

Quote:
Originally Posted by leftybeaver View Post
Second, are you saying that to detect someone spoofing the router I would have to determine if the packet was real or fake?
Not quite. You only need to detect the flood of the packets coming from one specific computer. According the the OS of the malicious machine, it might think it's a legit packet being sent by the arp-spoofing program so they will be "real" of sorts. It's them flooding the network with these packets that signal that something isn't quite right.
__________________
"as a fanboy i refuse to admit it and will pull countless things out of my butt to disprove it"

Team Thelegorm! Total Kills: 21 (i iz in uor profile, editsing your sigz)
celegorm is offline   Reply With Quote
Old 11-18-2012, 07:57 PM   #15
Baseband Member
 
Join Date: Feb 2012
Location: aus
Posts: 89
Default Re: How to prevent arpspoof from working

Most new higher end routers give you the ability to lock ip address to mac address, so when the attacker tries to flood the network with altered translations the router will not be able to change the ip and mac relationship. this is an old concept which doesn’t pose a threat to corporate or government networks because the network will only allow registered workstations. If an unknown MAC is pluged into the network the admin will know its physical location.
threadmark is offline   Reply With Quote
Old 11-19-2012, 01:01 PM   #16
Site Team
 
root's Avatar
 
Join Date: Mar 2004
Posts: 8,004
Default Re: How to prevent arpspoof from working

Quote:
Originally Posted by leftybeaver View Post
How would one manage to only allow a specific MAC address coming in for the router?
I didn't say router, I said switch. (routers operate at layer 3 not layer 2)

and to do this you'd hard code an entry into the arp translation table of the switch and make sure it's set to static and not dynamic.

depending on your school/equipment provider the arp translation table may be known as.
Mac Cache,
Arp Cahe,
Cam tables.
Mac Tables
Apr resolution tables
etc.

basically they tie the physical hardware (Mac) address to a hardware port.

e.g. traffic destined for "some-MAC" should leave via interface 2.
your arp spoofing is trying to make the router believe that hardware address "some-MAC" has actually be re-patched to interface 3.

the table keeps track of what device (hardware addressed at layer 2) is plugged into what interface (layer 1).

if your arp cache is dynamic, then Mac spoofing is possible, if it's static then how will you update an arp cache that is set to not be update-able other than by privilege 9 on the switch?



as for detecting a flood of MAC addresses, this is also useful for helping to make sure that some idiot hasn't brought in a hub so that he can plug in a few different machines and his personal laptop into his 1 network port in his office
__________________

__________________
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is online now   Reply With Quote
Reply

Tags
arpspoof, linux, network

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 02:58 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0