.

ARP Poisoning, to do or not to do?

<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Jul 24, 2008 6:04 am

ARP Poisoning, to do or not to do?

What do you think about ARP poisoning as part of a penetration test?  Do you make it part of the procedures?  Or do you avoid it?

It is very easy to do, but can cause some havoc on an already overtaxed network.  One thought is that an attacker won't hesitate to do it, so you should as well.  However, we also have to be concerned about the sensitive 24/7 systems they may have running.  I have seen instances where after a reboot, switches reverted back to older configurations.  (I tend to think the config wasn't saved to flash, but that's me.) 

Is there a better way?  Can you effectively sniff traffic from a switched network without ARP poisoning?

Ketchup
~~~~~~~~~~~~~~
Ketchup
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Jul 24, 2008 7:18 am

Re: ARP Poisoning, to do or not to do?

Ketchup,

if you are trying to sniff traffic for defensive purposes your can configure span ports (on Cisco devices, I believe similar features exist forother manufacturers). This will allow you to see traffic at packet level without restorting to re-directing traffic with arp spoofing.

However as you state, the bad-guys will likely have no qualms attempting an ARP spoof technique as the fallout of network failure isn't going to effect them. Might be a good idea to see how the network would handle such an attack. As with everything in this area make sure that you have fully explained the risks to your employer/client before trying these techniques and CYA, in writing, at all times.

RR
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Jul 24, 2008 9:11 am

Re: ARP Poisoning, to do or not to do?

RR,

Thanks.  If I am doing it for defensive monitoring, I definitely choose the port mirroring option.  Most newer switches have the ability to copy all traffic to a monitoring port.    I don't know if I can do it as part of a pen test though.  An attacker wouldn't ask the client to turn on port monitoring (unless through social engineering).    I suppose one thing I can attempt to do is to gain access to the switch config, perhaps through SNMP and configure a monitor port on my own. 

Thanks again,

Ketchup
~~~~~~~~~~~~~~
Ketchup
<<

dean

Post Thu Jul 24, 2008 12:00 pm

Re: ARP Poisoning, to do or not to do?

Arp cache poisoning is a valid attack vector but you can create bottlenecks on the network that can bring it down. So long as the client is aware of the potential consequences of the attack and you have documented the servers/hosts that you are targeting with the attack. You might not want to poison an entire subnet but only focus on a few targets so that any impact is limited.

Ketchup wrote:Is there a better way?  Can you effectively sniff traffic from a switched network without ARP poisoning?

Yes. DTP (Dynamic Trunking Protocol) attacks and others can enable you to sniff all traffic on a switch by enabling trunking on your port.

Yersinia can simplyfy these attacks for you or you can craft the packets in scapy.

dean

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software