Been playing alot with Cain and Abel recently and after realising how powerful this tool is for sniffing traffic I want to now focus on counter measures against an attack this tool can perform - ARP poisoning. So can anyone recommend the best tools / techniques to protect against this?

EDIT: Just found this is already been covered on GovSec in the past. Im currently reading this paper that was recommended: http://www.cs.sjsu.edu/faculty/stamp/stude...ilky_report.pdf

However, i would like to hear from peoples experience on protecting against ARP poisoning and tools they have used.

Thanks

quite simple ..
check the mac address of the most juicy host in your subnet (i.e. gateway , domain controller)
then arp -a on your pc ..
if there are differences you are poisoned ..

Could do with a tool watching in real time. Just been reading the dsniff manual, l0pht's antisniff is mentioned so going to give that a try in a bit.

There are good tools like Arpwatch around . One of the ways is to enter static mac address entries so ur computer doesnt broadcast arp request but still other routers can be poisoned and u are still in half water . Use outpost firewall it has a plugin to block mac address so u can block all those unneeded hosts also sygate keeps a good watch on arp . But still arp is very much exploitable . U can kick anyone out of network no matter what they use . There are techniques to stop like Port security on switches ,etc.

Btw did u note with cain u can sniff only hashes of yahoo mail and no plaintext on lan even if u arent using secure login . Gmail sends plain text HOTMAIL sends plain text out and most others do . But yahoo hashes b4r sending maybe md5 i think . Only thing i like bat yahoo

static ARP tables can solve the solution of ARP Poisoning, thus disabling ARP protocol which prevents ARP Poisoning, too. The packets can be blocked by personal & router firewalls. Fancy, but possible...

Terminal ..
about yahoo you are right the pass is double MD5 hashed plus a challenge that changes
at any new connection ..

Yeah, ive noticed most sites send passwords out in plain text. Been catching quite alot of traffic from the lan (its used by another 3 people) and noticed a few sites will send out MD5 hash. If i want to get an account from a user I just get them to run a script which steals key3.db and signons.txt. Suppose if i had the MD5 rainbow tables it would make life easier.

Yes but if you have a windows network, it s noticed with arp-sk it is possible to modify static ARP tables.

I think the best solution is to use ssl or vpn or anything like that to secure data from the network. And it s the easier solution than filter all MAC adress. It use more ressources I think ...

im usign XArp to detect ARP poisoning attacks: hxxp://www.chrismc.de/developing/xarp/

you can also spoof your address to hide where the attacks are coming from.

Static ARP tables are great on all the devices you can control easily like routers and firewalls but getting them out to all clients and keeping them up to date can be a challenge. So hardware changes can be a much bigger deal when you need to replace that interface card.

If you don't hit the clients then dsnif for C&A can fool clients into thinking they are the gateway still and get lots of juicy info. I wonder if there is a way to do this with DHCP, send out the default GW and the MAC of that GW. But the GW is not the only thing worth protecting all servers and resources would be nice to protect too.

BTW, arpwatch is great for keeping an eye on this but when someone does start futzing it become almost too noisy with e-mails and log messages, you have to dial down the settings to make sure it doesn't flood out too much crap.

--P>G>>

a fine tuned IDS system is probably your best route

if u use ipsec in the network, all connections will be encrypted so even if you poison u will see nothing.
but this will solve the probleme of a man in the middle that is waiting for things like passwords in clear text but i'm not sure this will also help for the smart spoofing attack.
but maybe anyone had test this before?

But use IPSEC everywhere in the network? All clients to all servers? I know MS was trying something like that but I know they weren't ready to actually turn on encryption, just tunnels at this point.

But IPSEC could still be disrupted in any case as you could redirect traffic through you, and if any new man in the middle attacks come out then you would be sitting in the right place.

--P>G>>

then i think u will create a DOS on the network.

All of the above

Also, changing the network topology will reduce the effectiveness.... Ie, when designing the network, if its feaseable, adding more subnets... Thats a VERY basic way of saying it, but the basic idea is if you subnet the lan more, then theres less static arps that would need to be applied and reduce the amount of IDS systems on the network...

Remember security is like an onion, placing an IDS there is just pointless if its on its own, becuase you can just ARP poison that IDS server in a way to 'isolate' it.. Using IPSec etc is kind of OK, but theres methods of faking certificates on weak authentication schemes. Placing Static ARPs is kind of OK but you need to apply them to every computer - so put them in login scripts. Using a correct type of IDS - ie Snort INLINE to actively monitor and kill connections is another method that should ALSO be applied in extreme circumstances...

So,
Static ARPs + Correct use and location of network IDS's (Snort / Checkmate) + Static ARPs via login scripts to keep up-to-date + Subnetting the lans more (even via VLANs) + *Considering the use of IPv6 and other* + CORRECT Encryption of the protocols will allow even arp poisoned traffic to become useless

Those 6 methods would stop even the most dedicated hacker from using that method - so they might just go buy Key Katcher / Key Ghost and use that method instead...

* Dont quote me on that