TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Webmaster:
Blaise Carrera
ETTERCAP - The Easy Tutorial - Countermeasures

Ettercap Countermeasures
Last Change : Feb 01 2008


Tool
Install
Ergonomy
Forum



Details What is Ettercap?
Prerequisites & Installation
ARP Poisoning
"Man in the middle" attacks
Statistics
Countermeasures



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!


Fighting effectively against ARP poisoning with efficiency is not an easy task because the ARP protocol provides no possibilities to establish the authenticity of the source of incoming packets.
Despite all, we propose here some ways to protect your machines against these evil spoofers.

1. STATIC ARP 2. SURVEILLANCE TOOLS 3. PORT SECURITY 4. CONCLUSION



1. STATIC ARP

Static ARPing means that you manually configure IP to MAC mappings.

Windows Machine

C:\Documents and Settings\administrator>arp -s 192.168.1.1   11-22-33-44-11-11
See your ARP cache table:

C:\Documents and Settings\administrator>arp -a
Interface : 192.168.1.2 --- 0x2
Internet Address
192.168.1.1
192.168.1.100
Physical Address
11-22-33-44-11-11
11-22-33-44-99-99
Type
static
dynamic
Linux machine

#arp -s 192.168.1.1 11:22:33:44:11:11
See your ARP cache table:

#arp
Address
192.168.1.1
HWtype
ether
HWaddress
11:22:33:44:11:11
Flags Mask
CM
Iface
eth0
Cisco router

router#configure terminal
router(config)#arp 192.168.1.2 1122.3344.5566 ARPA
The creation of static IP - MAC address mappings will prevent ARP poisoning but has two big disadvantages:
-
 
-
This will generate a lot of extra work for the administrator and is not applicable in an environment where the users have to move with their laptops.
This will not prevent other types of ARP attacks such as port stealing.
Top of the page



2. SURVEILLANCE TOOLS

Arpwatch

Arpwatch is a tool to monitor the ARP activity on a network and particularly when a change occurrs in the MAC address - IP address associations. For this reason, it can be helpful to detect ARP attacks such as ARP spoofing and can alert the administrator by mail in case of suspicious ARP activities (referred to as a flip-flop in Arpwatch).

#apt-get install arpwatch
By default, Arpwatch sends its logs in the /var/log/syslog file, you can use the "tail /var/log/syslog" command to check the logs in real time.
The configuration is stored in the /etc/arpwatch.conf file.

Ettercap

Install Ettercap in graphical mode.

#apt-get install ettercap-gtk
Launch Ettercap in graphical mode.

#ettercap -G
Sniff -> Unified sniffing...
Unified sniffing sniff man in the middle attack openmaniak ettercap
Unified sniffing sniff man in the middle attack  openmaniak ettercap
 
 
 
 
 

Plugins -> Manage the plugins
Click on the arp_corp plugin to activate it.

Manage the plugins plugins man in the middle attack  openmaniak ettercap

Start -> Start Sniffing
Start Sniffing  start man in the middle attack  openmaniak ettercap

Snort IDS

A Intrusion Detection System such as the Snort IDS can detect ARP abnormal activities and send a mail to inform the administrator.

Top of the page



3. PORT SECURITY

Port-security is a security functionality available on some high-end switches.
It will allow only devices with certain MAC addresses to connect to the switch ports, and in case a machine is not authorized, the switch can take actions such as alerting the administrator with a SNMP trap or shutting down the faulty port immediately.

Below an example with a Cisco switch where its first port (FastEthernet 0/1) is configured as port-security.
The switch port will accept only one unique MAC address and this MAC address will be the first seen by the switch port (sticky keyword). If the switch port seee another MAC address on its first port it will immediately it shutdown.

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
After the switch configuration, we plug a device with MAC address 1122.3344.5566 on the FastEthernet 0/1 port, which will accept no other MAC address.

Switch# show port-security
Secure Port   MaxSecureAddr   CurrentAddr   SecurityViolation   Security Action
                         (Count)          (Count)            (Count)
---------------------------------------------------------------------------
   Fa1/0/1               1                    1                    0          Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

Switch# show port-security interface FastEthernet 0/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
:
:
:
:
:
:
:
:
:
:
:
:
Enabled
Secure-up
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.5566:1
0
Switch#show port-security address
          Secure Mac Address Table
----------------------------------------------------------------------------
Vlan    Mac Address        Type                  Ports            Remaining Age
                                                                              (mins)
----    -----------          ----                    -----          -------------
1        1122.3344.5566    SecureSticky        Fa0/1              -
----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272


We unplug our current device (MAC: 1122.3344.5566) and plug another device (MAC: 1122.3344.9999). As seen below, the switch will shutdown its first port and put it in the err-disabled status.

Switch# show port-security interface FastEthernet 0/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
:
:
:
:
:
:
:
:
:
:
:
:
Enabled
Secure-down
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.9999:1
0
Switch#show logging
00:06:28:
 
00:06:28
 
00:06:29:
 
00:06:30:
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1122.3344.9999 on port FastEthernet0/1.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
Switch#show interfaces status | include 0/1
Port
-------
Fa0/1
Name
------------------
 
Status
------------
err-disabled
Vlan
--------
1
Duplex
------
auto
Speed
-------
auto
Type
----
10/100BaseTX
If you want to reactivate the port in the err-disabled state, use the following commands:

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
The port-security activation will not prevent ARP spoofing but the possibility for the pirate to get connected to the network.



4. CONCLUSION

There is no miracle solution to fight against ARP spoofing but the suggestions below provide significant help by either preventing the pirate from connecting to the network or by checking your network.
-
 
-
Network restriction with port security or even with the 802.1x protocol where a machine is authorized on the network only if it is accepted by an authentication server such as a RADIUS.
Network surveillance with tools such as IDS.

Top of the page