HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 42 guests and 5 members online
EH-Net Donations

Enter Amount:
$
Google Ads
ChicagoCon 2008f
chicagocon2008f_125x200banner.jpg
ChicagoCon 2008f
EH-Net News Feeds
Latest Additions
Book Recommendations



 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow ARP Poisoning, to do or not to do?
Ethical Hacker Community Forums
August 20, 2008, 03:13:31 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Registration Now Open for ChicagoCon 2008f Oct 27 - Nov 2! Visit www.chicagocon.com.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: ARP Poisoning, to do or not to do?  (Read 901 times)
0 Members and 1 Guest are viewing this topic.
Ketchup
Newbie
*
Online Online

Posts: 18


View Profile
« on: July 24, 2008, 06:04:07 AM »
What do you think about ARP poisoning as part of a penetration test?  Do you make it part of the procedures?   Or do you avoid it?

It is very easy to do, but can cause some havoc on an already overtaxed network.  One thought is that an attacker won't hesitate to do it, so you should as well.  However, we also have to be concerned about the sensitive 24/7 systems they may have running.  I have seen instances where after a reboot, switches reverted back to older configurations.   (I tend to think the config wasn't saved to flash, but that's me.) 

Is there a better way?   Can you effectively sniff traffic from a switched network without ARP poisoning?

Ketchup
Logged
RoleReversal
Sr. Member
****
Offline Offline

Posts: 375


View Profile WWW
« Reply #1 on: July 24, 2008, 07:18:43 AM »
Ketchup,

if you are trying to sniff traffic for defensive purposes your can configure span ports (on Cisco devices, I believe similar features exist forother manufacturers). This will allow you to see traffic at packet level without restorting to re-directing traffic with arp spoofing.

However as you state, the bad-guys will likely have no qualms attempting an ARP spoof technique as the fallout of network failure isn't going to effect them. Might be a good idea to see how the network would handle such an attack. As with everything in this area make sure that you have fully explained the risks to your employer/client before trying these techniques and CYA, in writing, at all times.

RR
Logged
A little bit of sanity:
http://www.infosanity.co.uk
Ketchup
Newbie
*
Online Online

Posts: 18


View Profile
« Reply #2 on: July 24, 2008, 09:11:30 AM »
RR,

Thanks.   If I am doing it for defensive monitoring, I definitely choose the port mirroring option.   Most newer switches have the ability to copy all traffic to a monitoring port.    I don't know if I can do it as part of a pen test though.   An attacker wouldn't ask the client to turn on port monitoring (unless through social engineering).    I suppose one thing I can attempt to do is to gain access to the switch config, perhaps through SNMP and configure a monitor port on my own.   

Thanks again,

Ketchup
Logged
dean
Full Member
***
Offline Offline

Posts: 123


View Profile
« Reply #3 on: July 24, 2008, 12:00:39 PM »
Arp cache poisoning is a valid attack vector but you can create bottlenecks on the network that can bring it down. So long as the client is aware of the potential consequences of the attack and you have documented the servers/hosts that you are targeting with the attack. You might not want to poison an entire subnet but only focus on a few targets so that any impact is limited.

Quote from: Ketchup on July 24, 2008, 06:04:07 AM
Is there a better way?   Can you effectively sniff traffic from a switched network without ARP poisoning?
Yes. DTP (Dynamic Trunking Protocol) attacks and others can enable you to sniff all traffic on a switch by enabling trunking on your port.

Yersinia can simplyfy these attacks for you or you can craft the packets in scapy.

dean
Logged
<script>alert('%52%54%46%4D')</script>
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.5 | SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.044 seconds with 23 queries.
 
EH-Net's
2nd Annual
Tweener Party 

Thanks all. Click HERE for details.

Polls
Best for daily desktop use:
 
Support EH-Net
chicagocon2008f_125x200banner.jpg
ChicagoCon 2008f

Support EH-Net by
Buying all of your
Amazon items using
the search bar above.
cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!
Recent Forum Topics
Vote For EH-Net

progenic.com
Click here to Vote!

Sadikhov.com
Top IT Cert Sites

binarica.com
Binarica Logo

Add to Technorati Favorites
technorati fave

chicagocon2008f_125x200banner.jpg
ChicagoCon 2008f
 
         
Advertisement

© 2008 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.