IDS mailing list archives
Re: Session Hijacking
From: Dragos Ruiu <dr () kyx net>
Date: Wed, 9 Mar 2005 20:42:36 -0800
On March 8, 2005 05:23 am, Angel L Rivera wrote:
Hate to plead ignorance but can you elaborate a little - not familiar with this control and how to set it up - can you give an example. If you think it is out of scope for this discussion list just reply to me. Thanks. -----Original Message----- From: Dragos Ruiu [mailto:dr () kyx net] Sent: Tuesday, March 08, 2005 2:53 AM To: Angel L Rivera; 'Mike Frantzen'; 'Terry Ray' Cc: focus-ids () lists securityfocus com Subject: Re: Session Hijacking P.s. Static permanent arp entries for at least some "important" servers and gateways in your network is something I counsel all to seriously consider. This intermediate step is not that much work given the many security benefits it brings.
The example (and MS caveat was in the previous message): On March 7, 2005 11:04 pm, Dragos Ruiu wrote:
You can even extend this to host workstations, whereby ip->mac address assignments are preassigned, e.g.: /usr/sbin/arp -s 1.2.3.4 00:01:02:03:04:05:06 permanent Older MS OSes used to let permanent entries be overwritten by gratuitous arp's but I think this has been fixed in more recent releases.
You may have to delete the existing arp table entry before adding the permanent one using: /usr/sbin/arp -d 1.2.3.4 This is the OpenBSD/NetBSD semantics... For Linux, FreeBSD and OSX you set up permanent entries by NOT including the keyword "temp" instead of the "permanent" keyword. Look at the man page for the arp command and that will get you pointed in the right direction. Adding these addresses for important boxes hardwired to local start up scripts will remove some possibility for "games." For Win32 just use: arp -s 1.2.3.4 00:01:02:03:04:05:06 (I dont think Win32 lets you set up temp entries afaik) -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Session Hijacking Terry Ray (Mar 02)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- RE: Session Hijacking Angel L Rivera (Mar 07)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- RE: Session Hijacking Angel L Rivera (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 10)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- RE: Session Hijacking Omar Herrera (Mar 07)