A tool/theory to prevent all MiTM attacks for any computer

[ShadowMaster]

Hey guys, this is a very interesting topic/tool. First off, I'd recommend python for this project. It's capable of running on almost any system, it's network friendly, it's easy to code, and it's pretty damn powerful! Perl would be an option but I bet you'd find a stronger developer base in the python world. Thats just my opinion though... On to the meat and potatoes...

Thanks for the interest. The reason I want perl, while python might be easier, I don't want the end user to have to install anything on his system. In windows, perl has a perl2exe stuff, while I dunno about python... If you are willing to help code modules or even dlls that we could use in a windows setting, then by all means, use python. A tool that works is the end goal, I don't care if it's written in multiple languages.

One of the obvious ways to detect arp spoofing is by detecting a large amount of arp traffic from a single node (or multiple nodes). The way tools like arpspoof work is by trying to flood the network with a packet every second or so that states the attacker's desired false arp info. Other devices on the network get this arp update every second and use that info for routing packets. When the real gateway broadcasts its arp info it's drowned out by the noise from the attacker. So, logically if we can identify the source of the noise on the network and block it via packet counting rules, IP/Mac tables, or whatever else and alert the user to the anomaly then we have accomplished a part of the goal.

True. I believe that this is in the specs already.

Using a database of some sorts to keep track of "clean" IP/MAC combos for machines on the network is a great way to start when it comes to prevention. Also, implementing a static routing setup could work but may be over complicated (especially cross platform I have a feeling). But, finding a balance of approaches and attacking the problem from every possible exploitable path would be the key to a robust tool. There may be some limitations here though due to the nature of the arp protocol itself...

What I'm proposing is a database of sorts to store profiles of clean ip:arps for multiple networks. Since all we'd be doing is checking the current arp cache against a known clean list, there shouldn't be any limitations of arp protocol... I specifically did not want a static table, as I wanted this to be cross platform, and cross network.

One of the things I keep thinking about when looking over the requirements is that they seem to assume that the gateway MAC will change or be a different MAC when an attack is occurring AND the client will see this. Correct me if I'm wrong, but during mitm/proxy attacks can't you modify the packets going back to the client? If you could do this then the destination and src fields could be edited and the client would never know that the packets WEREN'T coming from the gateway (on the way back to the victims machine the src mac is changed to the real gateways mac instead of the attackers, therefore it is not being used for routing and does not cause a DOS). How can we catch this and ensure we are really effectively understanding the topography of the LAN and where the packets are coming from and going too?

Yes, you can modify the packets on the fly, but to get the packets to modify, assuming the average switched router, you need to poison at least one source. I believe. I've never had a MiTM attack work w/o one end being successfully poisoned... This tool is here to prevent any poisoning at all. If you are assuming that the attacker has poisoned the router, then I'm not as worried, because the main reason one spies on a network is to steal passwords and info etc.. If the host sends directly to the router, then that's not a real issue. As for the info going back, if not SSL encrypted, then it'll only be one end of the conversation. Of course, if you have an idea to stop poisoning on the router's end, please share.

Anyway, I'm definitely interested and would consider working on this project as long as it's not reinventing the wheel. (As seen in the post above and based on a google search there are LOTS of IDS's, IPS's, and standard tools already that do something very similar with arp for various platforms) So what can we bring to the table thats new and fresh when it comes to fighting arp attacks? ie What would make this tool stand out and be worth the many hours of coding?Thanks!

As I said in previous posts, the main goal here is to provide cross platform/cross network ARP-spoof protection to the point where I can share my linux profile of this network with my friends windows version of this program, who then gives it to his friend's macbook. Even if they have never seen this network before and never connected to it, they can still use my clean profile and be protected. As far as I researched, no tool has that capability.

Please let me know if you can help code, design, or contribute in any way. As I said previously as well, I'm smack in the middle of a PWB course which is way more intense than I originally assumed, and my time to work on this is limited.

Thank you for your interest.

[comaX]

Well, it's seems like my suscribing has been messy, because I missed a few posts.

And if something can make it an .exe, then ease, and true linux to windows portability has been achieved. Two fer one. I like it. What are your thoughts on the mattter? comaX, your thoughts?

Sure, the more compatible, the best it is !

Your eleven points are all relevant and good ones, and I can't think of something else to add. It seems to me you thought it through. If I get it right, it will protect the computer it runs on by replacing the arp cache by the safe profile in case of a problem, and will warn if something strange is on the network, as for example an attacker sending arp replies to broadcast ("gratuitous arp reply", to quote wireshark, if I'm not mistaken).

What I'm proposing is a database of sorts to store profiles of clean ip:arps for multiple networks

I see one problem with that : dynamic IPs. So what I think should be done is capture the state of the arp cache when one just connected, and keep the profile for the session only ; that is unless the user says "static IPs here, keep the profile for next use".

allow gateway address checking through the browser

Could you develop on that ? I might see a glitch, but I'd need to know more !

[ShadowMaster]

I see one problem with that : dynamic IPs. So what I think should be done is capture the state of the arp cache when one just connected, and keep the profile for the session only ; that is unless the user says "static IPs here, keep the profile for next use".

The only IP's I really care about are the DHCP, DNS, Gateway, MailServer... And those should be static.
To check the gateway's address through the browser, I imagine manually checking to see if the router responds to that IP.

Please tell me any problems.

[Barry]

Heh.

http://www.ranum.com/security/comput...lendar/nov.jpg

[ShadowMaster]

Heh.

http://www.ranum.com/security/comput...lendar/nov.jpg

That mean you'll help?

The goal is to prevent any user-level complication.

[Barry]

That mean you'll help?

The goal is to prevent any user-level complication.

Honestly I don't think it's possible. There's always going to be a way to man in the middle. Short of running fiber to every workstation and vlanning every workstation, it's just not going to be feasible to make it work, at least not without user intervention.

[orgcandman]

There are a whole lot of assumptions being made, the biggest I see is the assumption of a flat network. Most enterprise/corporate environments that are more than just 15 workstations have an intricate topology. Not to mention that there are legitimate uses for gratuitous arp, especially in clustered systems.

At some point, the user of the machine can't be stupid. Load arpwatch, and if you see the gateway's mac constantly flopping, you:

1) find the sys-admin and ask if that's normal
2) assume that it's not normal, and don't use the connection
3) assume that it's safe to use the connection

All of your solutions require giving the user some token which includes a snapshot of the information about your network. What happens when router A's 4th port dies and you re-cable to a different machine with a different mac? What about a large, multi-national, multi-site corporate LAN running OSPF/RIP/Some other Routing Protocol which re-assigns the paths your packet is taking?

And for the big one that your solution doesn't cover, what about someone sitting past the router? There's no way to know upstream if your data is being redirected through alternate paths (hint: it always is because upstream providers have complicated networks)

ARP watching is useful against firesheep/ettercap/arpspoof which were known attacks 20+ years ago (I kid you not). That the home networking world finally caught on 4 years ago doesn't mean that very smart and very capable people haven't thoroughly thought these problems through. There are already solutions (I've never met a sysadmin worth his/her salt that didn't have either a custom or off-the-shelf solution for this) and they're built into various commercial and open IPS systems.

[ShadowMaster]

Excellent, have them post it here for us to admire. The point of this project IS for HOME USERS. NOT for corporate users. Corporate users can pay good money. I want to protect the little guy who does not really understand the danger or cannot really afford to fix it with expensive defenses.
I want to give them an easy to follow exe that will help them. If they have multiple routers or they know what to do when one crashes then obviously THEY ARE TOO ADVANCED FOR THIS PROGRAM!!!!! I want someone who will click through the warning screens that FireFox brings up about untrusted connections to able to browse safely. If you can help in any way, let me know. Thank you.

[Snayler]

All of your solutions require giving the user some token which includes a snapshot of the information about your network. What happens when router A's 4th port dies and you re-cable to a different machine with a different mac? What about a large, multi-national, multi-site corporate LAN running OSPF/RIP/Some other Routing Protocol which re-assigns the paths your packet is taking?

Eduroam, the wireless network present in most universities in Europe, is usually composed of multiple APs with the same SSID (for better coverage on campus). My current Internet Security application (ESET) has an option to protect me (and others on the same network, I believe) from ARP-Poisoning attacks, and it's very useful when I'm at home (It blocks all access when it senses a MAC change on the gateway IP). But it's really annoying when I'm at the university, because if the computer changes places, the AP it is connected to will change (thus, the MAC address will also change) and ESET will interpret it as ARP poisoning. I have to disable the firewall (unsecure) or turn off the ARP-Poisoning detection feature to be able to access the network without those annoyances.

ARP watching is useful against firesheep/ettercap/arpspoof which were known attacks 20+ years ago (I kid you not).

Wow! I really had no idea! Amazing how an attack that older can still affect a network.