[Snort-users] ARP poisoning and sniffing in a Switched Network

CGhercoias at ...8619... CGhercoias at ...8619...
Wed Dec 17 11:14:01 EST 2003


Hello,

Has anyone heard about Cain&Abel for Windows --
http://www.oxid.it/cain.html ?

...it has a lot of new features like APR (Arp Poison Routing) which
enables sniffing on switched LANs by hijacking IP traffic of multiple
hosts at the same time. The sniffer can also analyze encrypted protocols
such as SSH-1 and HTTPS if used with APR (ARP Poisoning Routing) and a
Man-in-the-middle situation...

I tested it personally and it is impressive. You can sniff anything from
anywhere within the same subnet, it can spoof any IP address and any MAC
address. 
Is decrypting SSH sessions, telnet and HTTPS sessions.
As far I can tell -- I don't want something like this in my corporate
network! 

Is there any rule for snort to catch this kind of ARP (illegal) traffic?


Assuming that I turn on 'Port Security' in all switches, the problem
still remains if some disgruntled employee is installing it and is
making use of a real IP and a real MAC address.
Not saying that it can cause DOS in the network because of the ARP
poisoning.
As far as I know ARP is a stateless protocol that does not require any
kind of authentication, so a simple ARP Reply packet sent to each host
-- will force an update in their ARP Cache -- therefore ARP poisoning.


Thank you, 
___________________________
Catalin Ghercoias 
WEB/Network Security Administrator 
 
website: http://www.fye.com

The content of this communication is classified as Trans World
Entertainment Confidential and Proprietary Information. As such, it is
intended solely for the use of the individual or entity to whom it is
addressed and only others who are authorized to receive it. If you are
not one of those, you are hereby notified that any disclosure, copying,
distribution, or action in reliance on the contents of this information
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to
this communication and then deleting it from your system. 

 





More information about the Snort-users mailing list