ETTERCAP - Jednostavan prirucnik - Protumjere

Ettercap Protumjere
Zadnje osvježenje: May 07 2008


Tool
Install
Ergonomy
Forum



Detalji Što je Ettercap?
Preduvjeti i Instalacija
ARP Poisoning
"Man in the middle" napadi
Statistike
Protumjere

Croatian translation by Tomislav Marcinkovic.



⚠️⚠️⚠️
Please check our page about COVID-19!!
100 Questions and answers about Coronavirus.

⚠️⚠️⚠️
Merci de consulter notre page sur la COVID-19 !!
227 questions et réponses sur le Coronavirus.


Efektivna i uspjena borba protiv ARP trovanja (poisoning) nije jednostavan zadatak, zbog toga to ARP protokol ne prua mogucnosti za dokazivanje ispravnosti izvora dolaznih paketa.
Usprkos svemu, predlaemo neke metode zatite Vaeg racunala protiv tih podmuklih podvala.

1. Staticki ARP 2. Alati za nadzor 3. Zatita portova 4. Zakljucak



1. Staticki ARP

Staticki ARP znaci da vi rucno konfiguritate IP u MAC mapiranje.

Windows racunalo

C:\Documents and Settings\administrator>arp -s 192.168.1.1   11-22-33-44-11-11
Provjerite ARP cache tablicu:

C:\Documents and Settings\administrator>arp -a
Interface: 192.168.1.2 --- 0x2
Internet adresa
192.168.1.1
192.168.1.100
Fizicka adresa
11-22-33-44-11-11
11-22-33-44-99-99
Vrsta
staticka
dinamicka
Linux racunalo

#arp -s 192.168.1.1 11:22:33:44:11:11
Provjerite ARP cache tablicu:

#arp
Address
192.168.1.1
HWtype
ether
HWaddress
11:22:33:44:11:11
Flags Mask
CM
Iface
eth0
Router Cisco

router#configure terminal
router(config)#arp 192.168.1.2 1122.3344.5566 ARPA
Postavljanje staticke IP i MAC adrese sprijecit ce ARP poisoning, ali ima dvije velike mane:
-
 
-
Stvorit ce mnogo dodatnog posla administratorima i nije ba primjenjivo u okrujima gdje se korisnici koriste laptopima.
Nece sprijeciti druge vrste ARP napada, kao to je npr. port stealing (krada porta)
Top of the page



2. Alati za nadzor

Arpwatch

Arpwatch je alat kojim nadziremo aktivnost ARP-a na mrei, posebice promjene u IP - MAC dodjeljivanjima.
Ovim povodom moe biti od pomoci kod pronalaenja ARP napada kao to je ARP spoofing, te moe upozoriti administratora mailom u slucaju sumnjivih ARP aktivnosti (odreden kao flip-flop u Arpwatch-u).

#apt-get install arpwatch
Uobicajeno Arpwatch svoje logove alje u /var/log/syslog datoteku, stoga moete koristiti "tail /var/log/syslog" komandu za provjeru logova u realnom vremenu. Konfiguracija se nalazi u /etc/arpwatch.conf datoteci.


Ettercap

Instalirajte Ettercap s grafickim suceljem.

#apt-get install ettercap-gtk
Pokrenite Ettercap s grafickim suceljem.

#ettercap -G
Sniff -> Unified sniffing...
Unified sniffing sniff man in the middle attack openmaniak ettercap
Unified sniffing sniff man in the middle attack  openmaniak ettercap
 
 
 
 
 

Plugins -> Manage the plugins
Kliknite na arp_corp plugin za njegovu aktivaciju.

Manage the plugins plugins man in the middle attack  openmaniak ettercap

Start -> Start Sniffing
Start Sniffing  start man in the middle attack  openmaniak ettercap

Snort IDS

Sustav za detekciju upada na racunalo, kao to je Snort IDS (Intrusion Detection System), moe detektirati nenormalne ARP aktivnosti te mail-om upozoriti administratora.

Top of the page



3. Zatita portova

Zatita portova (port security) je sigurnosna funkcionalnost dostupna na nekim high-end switch-evima.
To ce omoguciti spajanje na port switch-a samo odredenim MAC adresama. U slucaju da spojeno racunalo nije prijavljeno, switch moe poduzeti neke mjere kao to je, recimo, slanje upozorenja administratoru ili trenutno gaenje koritenog porta.

Dolje je naveden primjer na Cisco-vom switch-u gdje je njegov prvi port (FastEthernet 0/1) konfiguriran kao zatitni port.
Port na switch-u prihvacat ce samo jednu MAC adresu i ta MAC adresa ce biti prva prijavljena na portu switch-a (sticky keyword). Ukoliko se na port prijavi neka druga MAC adresa, port se isti tren gasi.

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Nakon konfiguracije switch-a prikljucujemo uredaj s MAC adresom 1122.3344.5566 na FastEthernet 0/1 port, koji ne prihvaca niti jednu drugu MAC adresu.

Switch# show port-security
Secure Port   MaxSecureAddr   CurrentAddr   SecurityViolation   Security Action
                         (Count)          (Count)            (Count)
---------------------------------------------------------------------------
   Fa1/0/1               1                    1                    0          Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

Switch# show port-security interface FastEthernet 0/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
:
:
:
:
:
:
:
:
:
:
:
:
Enabled
Secure-up
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.5566:1
0
Switch#show port-security address
          Secure Mac Address Table
----------------------------------------------------------------------------
Vlan    Mac Address        Type                  Ports            Remaining Age
                                                                              (mins)
----    -----------          ----                    -----          -------------
1        1122.3344.5566    SecureSticky        Fa0/1              -
----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272


Prikljucimo na trenutni uredaj (MAC: 1122.3344.5566) i ukljucimo drugi uredaj (MAC: 1122.3344.9999).
Kao to vidite dolje, switch ce iskljuciti svoj prvi port i postaviti ga u err-disabled status.

Switch# show port-security interface FastEthernet 0/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
:
:
:
:
:
:
:
:
:
:
:
:
Enabled
Secure-down
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.9999:1
0
Switch#show logging
00:06:28:
 
00:06:28
 
00:06:29:
 
00:06:30:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1122.3344.9999 on port FastEthernet0/1.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
Switch#show interfaces status | include 0/1
Port
-------
Fa0/1
Name
------------------
 
Status
------------
err-disabled
Vlan
--------
1
Duplex
------
auto
Speed
-------
auto
Type
----
10/100BaseTX
Ukoliko elite ponovno aktivirati port u err-disabled stanje, koristite sljedece komande:

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Aktivacija zatite portova nece sprijeciti ARP spoofing, ali ce smanjiti mogucnost spajanja nepoeljnih racunala na mreu.



4. Zakljucak

Ne postoji idealno rjeenje za borbu protiv ARP spoofing-a (podvala), ali sugestije koje se nalaze dolje nude Vam znacajnu pomoc kod sprecavanja spajanja nepoeljnih racunala na Vau mreu i kontroliranja Vae mree.
-
 
-
Mrena restrikcija sa zatitom portova ili cak i 802.1x protokola gdje se racunala prijavljuju na mreu samo ako su prihvacena od strane autentikacijskog servera kao to je RADIUS.
Nadzor mree s alatima poput IDS-ova (Intrusion Detection System).

Top of the page