The Ethical Hacker Network - ARP Poisoning, to do or not to do?

Latest Additions

Who's Online

Ketchup

Hero Member

Offline

Posts: 1021

ARP Poisoning, to do or not to do?

« on: July 24, 2008, 06:04:07 AM »

What do you think about ARP poisoning as part of a penetration test? Do you make it part of the procedures? Or do you avoid it?

It is very easy to do, but can cause some havoc on an already overtaxed network. One thought is that an attacker won't hesitate to do it, so you should as well. However, we also have to be concerned about the sensitive 24/7 systems they may have running. I have seen instances where after a reboot, switches reverted back to older configurations. (I tend to think the config wasn't saved to flash, but that's me.)

Is there a better way? Can you effectively sniff traffic from a switched network without ARP poisoning?

Ketchup


	Logged

~~~~~~~~~~~~~~
Ketchup

Andrew Waite

Hero Member

Offline

Posts: 928

Re: ARP Poisoning, to do or not to do?

« Reply #1 on: July 24, 2008, 07:18:43 AM »

Ketchup,

if you are trying to sniff traffic for defensive purposes your can configure span ports (on Cisco devices, I believe similar features exist forother manufacturers). This will allow you to see traffic at packet level without restorting to re-directing traffic with arp spoofing.

However as you state, the bad-guys will likely have no qualms attempting an ARP spoof technique as the fallout of network failure isn't going to effect them. Might be a good idea to see how the network would handle such an attack. As with everything in this area make sure that you have fully explained the risks to your employer/client before trying these techniques and CYA, in writing, at all times.

RR


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

Ketchup

Hero Member

Offline

Posts: 1021

Re: ARP Poisoning, to do or not to do?

« Reply #2 on: July 24, 2008, 09:11:30 AM »

RR,

Thanks. If I am doing it for defensive monitoring, I definitely choose the port mirroring option. Most newer switches have the ability to copy all traffic to a monitoring port. I don't know if I can do it as part of a pen test though. An attacker wouldn't ask the client to turn on port monitoring (unless through social engineering). I suppose one thing I can attempt to do is to gain access to the switch config, perhaps through SNMP and configure a monitor port on my own.

Thanks again,

Ketchup


	Logged

~~~~~~~~~~~~~~
Ketchup

dean

Guest

Re: ARP Poisoning, to do or not to do?

« Reply #3 on: July 24, 2008, 12:00:39 PM »

Arp cache poisoning is a valid attack vector but you can create bottlenecks on the network that can bring it down. So long as the client is aware of the potential consequences of the attack and you have documented the servers/hosts that you are targeting with the attack. You might not want to poison an entire subnet but only focus on a few targets so that any impact is limited.

Quote from: Ketchup on July 24, 2008, 06:04:07 AM

Is there a better way? Can you effectively sniff traffic from a switched network without ARP poisoning?

Yes. DTP (Dynamic Trunking Protocol) attacks and others can enable you to sniff all traffic on a switch by enabling trunking on your port.

Yersinia can simplyfy these attacks for you or you can craft the packets in scapy.

dean