Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: MITM Detection

  1. #1
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    11

    Default MITM Detection

    Hello all,
    I'm looking for opinions and advice on programs to use primarily for MITM detection. I'm running Fedora 11 and looking for a good all-around network intrustion detection system (MITM, port scanning, spoofing, etc) with a decent integrated notification system (pop up messages instead of having to periodically check a log, if possible). I'm looking into snort at the time of writing this but am making slow progress wrapping my head around it, so any advice is appreciated.

    Thanks

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by vityav View Post
    Hello all,
    I'm looking for opinions and advice on programs to use primarily for MITM detection. I'm running Fedora 11 and looking for a good all-around network intrustion detection system (MITM, port scanning, spoofing, etc) with a decent integrated notification system (pop up messages instead of having to periodically check a log, if possible). I'm looking into snort at the time of writing this but am making slow progress wrapping my head around it, so any advice is appreciated.

    Thanks
    Snort really is the way to go, don't understand why you'd have a tough time understanding it. It's pretty straightforward in the way it works, and they have good forums for help as well as fairly decent documentation.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    What kind of MITM attacks are you referring to? If you are talking about ettercap, cain & abel etc, these utilize arp poisoning, which is a layer 2 attack, that snort, by default cannot detect unless some creative modifications are made.

    Snort, simply put, is a heuristic network detection engine that looks at TCP/IP packets (layer 3) individually and in a sequence to find attack/enumeration vectors.
    "Sure is for people with nothing on the line.....you and me? We just get on with it."

    -Garabaldi

  4. #4
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    11

    Default

    I am referring to arp poisoning. I suppose what I'm going for as far as MITM is the ability to recognize things such as the gateway address changing without the connection changing (assuming you catch it being initialized). It doesn't seem like it would be that hard to detect (just periodically checking the arp table), but at the same time I never found anything specific for it in the default snort rules.
    Would you recommend anything else that would detect layer 2 attacks/suspicious changes on a network?

  5. #5
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  6. #6
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    11

    Default

    Arpwatch works quite well, thank you.

  7. #7
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by vityav View Post
    Arpwatch works quite well, thank you.
    For anyone who asks, there is a burden and a boon with arpwatch.

    It's really easy to start and run:
    Code:
    # crontab -l
    @reboot /usr/sbin/arpwatch -i eth0 -e gitsnik@notmyemail.local
    But if you're smart (enough) to know where the arpwatch server is (most people only run a single interface for arpwatch rather than a proper segregated network):
    Code:
    pseudo:
    iptables -A FORWARD -p tcp --dport 25 -j DROP
    arpspoof /mailserver/ /arpwatchserver/
    (or)
    arpspoof /arpwatchserver/ /gatewaytoexternalserver/
    And you've completely anulled the setup.

    Snort is definitely the way to go, with proper sensors setup and a separate network. arpwatch is good for smallish installations though.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by anubis2k7 View Post
    What kind of MITM attacks are you referring to? If you are talking about ettercap, cain & abel etc, these utilize arp poisoning, which is a layer 2 attack, that snort, by default cannot detect unless some creative modifications are made.

    Snort, simply put, is a heuristic network detection engine that looks at TCP/IP packets (layer 3) individually and in a sequence to find attack/enumeration vectors.
    You're right. I wasn't thinking too much about the ARP stuff when I wrote that. More focusing on that I don't think Snort is really that difficult to get setup and running and understanding how it works. Spent too much time fighting with an exchange server yesterday.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    11

    Default

    I've gotten snort up with BASE, and arpwatch running separately. That said, this is mostly just for a small home network that nobody should be able to access, but also for public networks should I ever need to do anything secure on them. My workplace offers free public wifi, and I know that our IT has no system in place to prevent MITM attacks so my own defense needs to be self contained in my laptop.

  10. #10
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    Snort actually can be used to detect arp poisionings, if they are directed at your entire network. You can do this using the arpspoof preprocessor in snort.conf:

    preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

    Basically, if you know which IPs on your network are reserved, you can use their known IP to MAC combinations to detect change, which could be indicative of poisioning. Now if either a host that is not on your list is targeted or one that is on a DHCP lease, then this method will fail.

    Quote Originally Posted by vityav View Post
    My workplace offers free public wifi, and I know that our IT has no system in place to prevent MITM attacks so my own defense needs to be self contained in my laptop.
    Don't get me started on this...MITM is the least of your problems in a completely open wifi infrastructure.
    "Sure is for people with nothing on the line.....you and me? We just get on with it."

    -Garabaldi

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •