Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ARP poisoning and sniffing in a Switched Network

From: <CGhercoias () TWEC COM>
Date: Wed, 17 Dec 2003 14:16:38 -0500
Hello,

Has anyone heard about Cain&Abel for Windows --
http://www.oxid.it/cain.html ?

...it has a lot of new features like APR (Arp Poison Routing) which
enables sniffing on switched LANs by hijacking IP traffic of multiple
hosts at the same time. The sniffer can also analyze encrypted protocols
such as SSH-1 and HTTPS if used with APR (ARP Poisoning Routing) and a
Man-in-the-middle situation...

I tested it personally and it is impressive. You can sniff anything from
anywhere within the same subnet, it can spoof any IP address and any MAC
address. 
Is decrypting SSH sessions, telnet and HTTPS sessions.
As far I can tell -- I don't want something like this in my corporate
network! 

Is there any rule for snort to catch this kind of ARP (illegal) traffic?


Assuming that I turn on 'Port Security' in all switches, the problem
still remains if some disgruntled employee is installing it and is
making use of a real IP and a real MAC address.
Not saying that it can cause DOS in the network because of the ARP
poisoning.
As far as I know ARP is a stateless protocol that does not require any
kind of authentication, so a simple ARP Reply packet sent to each host
-- will force an update in their ARP Cache -- therefore ARP poisoning.


Thank you, 
___________________________
Catalin Ghercoias 
WEB/Network Security Administrator 
 
website: http://www.fye.com

The content of this communication is classified as Trans World
Entertainment Confidential and Proprietary Information. As such, it is
intended solely for the use of the individual or entity to whom it is
addressed and only others who are authorized to receive it. If you are
not one of those, you are hereby notified that any disclosure, copying,
distribution, or action in reliance on the contents of this information
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to
this communication and then deleting it from your system. 

 



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: