Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Anti-Ettercap tools

  1. #1
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Anti-Ettercap tools

    Hello,

    Are there any other tools to look for suspicious packet-rerouting activity such as when using Ettercap?
    I know ettercap can look for Ettercap activity, but I was wondering how it is done on very large local area networks.

    I do not intend to use it on a large Lan, however I'm just asking myself the question whether or not I should feel safe when surfing on for example the network of the University. Is it common practice to have Ettercap-activity-searchers running on large lans? Of course I can start Ettercap myself and look for suspicious activity, however this is not what I'm asking.

  2. #2
    Good friend of the forums espreto's Avatar
    Join Date
    Mar 2010
    Location
    Brazil
    Posts
    303

    Default Re: Anti-Ettercap tools

    In cases where the network configuration does not change frequently, it is perfectly possible to make a list of static ARP entries and deploy them to customers through an automated script. This will ensure that devices will always rely on its local ARP cache, instead of relying on ARP requests and replies.

    Surveillance tools, such as Arpwatch, effectively assist in monitoring the ARP cache. Thus the detection of possible attacks, and even the risk of changes in network behavior becomes easier for the Safety of the system.

    We could delve into this subject because it is very interesting, more like you just want to know the tools, I remember at the moment are:

    Arpwatch, XArp and Arpon.

    There is a set of techniques that should be studied in order to further minimize such an attack.

    (gdb) disass m(y_br)ain

    ®

  3. #3
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Re: Anti-Ettercap tools

    I also think this is very interesting. Basically, and please correct me if I am wrong, an access point sends out an arp to know which IP belongs to which mac address. Tools like Ettercap answer to this question instead of the real, targetted machine. Or does the attack machine acts as the access point?

    In either case, wouldnt it be easily possible to detect that the traffic is going through an extra point, namely the attack machine? Thus it would also be easily dtectable which machine on a lan is the attacking machine?

    What im also wondering is the role of the mac address. The mac address and not the IP address is used to send the packets to the correct station, right? The mac address could then be seen as acting on a lower level then the IP. But why dont we just spoof our mac address then? Or would this cause problems?

    Im kinda new here, but i do understand the basics of tcp ip i think;!! Anyway, dont burn me down;!!

  4. #4
    Good friend of the forums gunrunr's Avatar
    Join Date
    Jan 2010
    Location
    shining my spoon
    Posts
    265

    Default Re: Anti-Ettercap tools

    what ettercap does on one mode at least is arp cache poisoning. To put it simply, arp cache poisoning is sending arp packets to the target computers that telling them that you are in fact the default gateway. In two way poisoning you are also telling the default gateway that you are the target computer, so that you can receive both sides of the conversation between the target computer and the default gateway. if you want to get a really good idea of what is happening run Wireshark in the background and you can see your pc poisoning the routes in real time, its cool.
    just make sure when you are done you re-arp the targets, or run ipconfig renew when you are done if its a windows computer.
    and always make sure you have ip forwarding turned on or you will not forward packets to the default gateway.
    Wielder of the spoon of doom
    Summercon, Toorcon, Defcon, Bsides, Derbycon, Shmoocon oh my
    Come hang out with hackers on twitter @gunrunr556

  5. #5
    Good friend of the forums espreto's Avatar
    Join Date
    Mar 2010
    Location
    Brazil
    Posts
    303

    Default Re: Anti-Ettercap tools

    Good Gunrunr, I would write to use wireshark too! So you'll see for yourself the answers to your questions!

    Here's an interesting link, to give it a read.

    Anatomy of an ARP Poisoning Attack | WatchGuard

    Regards,
    (gdb) disass m(y_br)ain

    ®

  6. #6
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Re: Anti-Ettercap tools

    Oke good site, and i'll try that Wireshark out some day.

    But I have another question, on that 'Anatomy of an Arp...' site, the mention countermeasures. For large networks, this is
    "If you manage a large network, research your network switch's "Port Security" features. One "Port Security" feature lets you force your switch to allow only one MAC address for each physical port on the switch. This feature prevents hackers from changing the MAC address of their machine or from trying to map more than one MAC address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks." (source)

    What does this mean? On a large, wireless network, there can be hundreds of MAC addresses on the same switch, can't it?

    Also, isn't is possible for a network administrator to force static IP's when knowing the MAC Address? So, he builds up a list of all the MAC addresses when for example registering to the network, and then he pushes an IP (through RARP) to that machine. You can still spoof your MAC to another existing MAC, but when it is connected to a username, you can't anymore.

    But does this solve the ARP poisoning problem? One could still ARP poison, but when he does, the administrator would immediately know who the person is that is spoofing. What exactly does ARPWatch here? A cache is built up (maybe statical, if it is possible to push IP's, is it possible?), and when it changes, ARPWatch gives a warning.

    Or, when that is not possible, and when let's say we poison immediately on startup, then ARPWatch would notice that the traffic of the target pc goes around an attacking machine. However, why doesn't ARPwatch just think that the target machine has gone offline, and that we are browsing to sites that we shouldnt browse (all traffic of target gets redirected to us, we send it to the gateway). Of course, this would only work when doing two-way poisoning?

    Just some thoughts..

  7. #7
    Just burned his ISO p0rkch0p's Avatar
    Join Date
    Jun 2010
    Location
    Adama
    Posts
    1

    Default Re: Anti-Ettercap tools

    The link by espreto has a way better (and easier to understand) explanation than I can give you here. I just wanted to add a couple of points that weren't mentioned in this thread.

    Most OSes should have some way of notifying you if someone else on the network is claiming to be you. I know Windows XP pops up a notification, and FreeBSD makes a log entry. I don't know about Linux. So, while that doesn't help you detect if someone is claiming to be your gateway it also means that they can't do a completely "silent" MITM attack on you even if you don't have any arp monitoring tools running.

    As for detecting who the attacker is depends on whether you can associate his MAC address to a given switch port (which you can then trace to specific wall outlet). You can't do that if you have a regular "home/office" type switch. However, you might be able to get something by ports-canning his machine and seeing if he has anything running that can give him up.

    HTH

  8. #8
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Re: Anti-Ettercap tools

    Ok, I found a very good explanation of the way how ARPcaches can be spoofed, on this site.

    Still, I can't seem to understand what they mean by
    "You can use port security to block input to an Ethernet port when the MAC address of a workstation attempting to access the port is different from any MAC address specified for that port. This can prevent an attacker from changing the MAC address of their machine, and can help prevent MiM attacks."

    Isn't this only possible when all computers are connected to the network at all time? For example, when I connect to that network using my laptop, how can the switch know which MAC is allowed?

  9. #9
    Junior Member skidmarq's Avatar
    Join Date
    Jan 2010
    Posts
    88

    Default Re: Anti-Ettercap tools

    The way port security works is that switch ports learn (statically or dynamically) which mac-addresses belong to what port. If they see a mac-address differ from what is stored in their CAM tables then they will do whatever action is programmed (e.g. block, alarm, log, etc).

    Obviously, this is one of the classic examples of weighing security versus management overhead/usability. It sucks to get called in the middle of the night because a user decides to change ports and you have to re-enable the port...
    I got 99 problems but the bits ain't one...

  10. #10
    Good friend of the forums gunrunr's Avatar
    Join Date
    Jan 2010
    Location
    shining my spoon
    Posts
    265

    Default Re: Anti-Ettercap tools

    yeah what he said, we enable port security, we call it sticky port security on our catalyst switches, this way when a network converges the switch saves the mac addresses of connected computers in a cam table, so if you pull someones connector out and insert yours going to your laptop it will be rejected... this is not strong security because interface macs either wireless or ethernet, can easily be changed or spoofed. As far as the questions about wireless security, its more secure to just have dhcp turned off on a secure wireless connection and use static ip addresses, its kind of a pain in the ass but its more secure than having dhcp run and give out viable addresses to anyone that connects, also its easy to dos or crash a wireless ap by depleting the addresses in its dhcp pool. one tool for this is mdk3 which is in the repository for bt4 make sure you read up on this tool first because its very powerful
    Wielder of the spoon of doom
    Summercon, Toorcon, Defcon, Bsides, Derbycon, Shmoocon oh my
    Come hang out with hackers on twitter @gunrunr556

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 3
    Last Post: 11-09-2009, 02:58 PM
  2. Recompile WHOSTHERE to avoid Anti-Virus
    By Stewtn in forum OLD Pentesting
    Replies: 3
    Last Post: 10-06-2009, 11:42 PM
  3. New GPU tools.
    By purehate in forum OLD Latest Public Release - BackTrack4 Beta
    Replies: 8
    Last Post: 06-30-2009, 03:10 AM
  4. Which anti-interception comunication?
    By drpepperONE in forum OLD General IT Discussion
    Replies: 3
    Last Post: 01-27-2008, 08:59 AM
  5. Firefox anti aliasing?
    By flxfxp in forum OLD BackTrack v2.0 Final
    Replies: 0
    Last Post: 03-15-2007, 11:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •