Tag Archives: arp

Quick tip: harden your ARP table the easy way (Linux)

ARP spoofing is a good old attack on LAN and still a devastating one, leading to trafic interception (MiTM). You may want to make sure that nobody is tricking on you at office, at a security conference, at you local coffee shop, etc.

Yet, most networks do not have port security and ARP inspect on their switches to mitigate such attacks. So you have to count on yourself.

Most people know how to protect a client , e.g. by maintaining a static mapping of MAC / IP addresses on the operating systems. But almost no one does it, because it would be a pain to manage…

But, really ? No, here is what I do to get a reasonable protection.

I do a few compromises at first:

  1. I am not looking to protect ALL my traffic toward  other peers on the LAN, but at least outbound communications with the gateway and, optionally, with a few critical servers.
  2. An attacker may still poison the gateway and eavesdrop on responses directed to my machine, and get some interesting stuff anyway.
  3. So, this is not a protection on its own. You have to think defense-in-depth : encryption on all your services (TLS), VPN, etc. Especially, depending on where you are, do not rely on the DNS / DHCP servers.

With that said, what follows is a hardening move that you can do on most of Linux distributions, with little pain.

Get the MAC address of the gateway, either by finding it out physically (tag) or by checking it at a safe moment (when ARP spoofing is supposedly not happening).

Fill in a flat file, like /etc/ethers, with mappings like :

 00:11:22:33:44:55  1.2.3.4

Now, NetworkManager will do all the magic.

Create a script like :

 % cat /etc/NetworkManager/dispatcher.d/40-arp 
 #!/bin/bash
 arp -f /etc/ethers

All scripts in the above folder will be executed every time an interface gets up, as long as you give it executable rights :

% chmod +x /etc/NetworkManager/dispatcher.d/40-arp

Now, either execute it directly or unplug / plug back in your interface. You should have a permanent static MAC address now, effectively bypassing the ARP protocol and its weaknesses :

% arp -a -n
? (172.16.100.254) at 00:15:17:9d:d6:d1 [ether] PERM on eth0

Voilà! Should you not use NetworkManager for some reason, you can do something equivalent with ifup scripts in respect with the syntax of you current Linux distribution.

But, let me stress it out once more, to be sure you don’t get me wrong :

Despite an enhancement, this is no a sufficient protection and you may still get pwned ! Authentication and encryption MUST also come into the play, so use only TLS enabled services, HTTPS sites and, ideally, a good IPSEC / SSH / TLS tunnel to carry ALL of your traffic !

Promiscuous mode detection

Detectpromisc is a python script based on Scapy, that allows to detect if a computer is sniffing the network.

By nature, it is quite difficult to detect if a machine is sniffing, because it operates passively, receiving all packets from the wire but, normaly, answering only to packets destinated to itself.

There are however several methods that make the detection possible.

Some are based on the latency, because in promiscuous mode a machine will take more time to answer (packets have to be processed by the kernel, not the network card only).

Another imply to generate some tricky packets, with a correct IP but a wrong MAC address. The machine should answer only if it is in spoofing mode.

It is also possible to use source-routing with a host on the path that doesn’t route. If an answer comes back anyway, the target is sniffing.

Other methods are implemented by IDS and based on the volume of DNS requests.

Most of these methods are not necessarily reliable, easy to implement. All the ones based on IP routing are quite easy to workaround by the attacker.

Detectpromisc works exclusively at the ARP level.

According to the OS, it sends out some specific ARP packets (multicast, fake broadcast…).

In normal mode, the network card will discard theses illegitimate packets : they call it the hardware filter.
In promiscuous mode, there is no hardware filter : packets reaches directly the kernel (software filter).

Of course, according to the OS, the kernel will behave differently, but some tricked ARP packets generated by Detectpromisc will cause the sniffing machine to send an answer.

It is therefore possible to differenciate a sniffing machine from a normal machine. Plus, as it is quite reliable and OS specific, it is possible to fingerprint the target.

In practice, it has worked very well so far :

% sudo ./detect.py -i eth0 -O 192.168.222.25
Scan right index finger on UPEK TouchStrip
WARNING: No route found for IPv6 destination :: (no default route?)
192.168.222.25 : promiscuous mode card detected
probably: Linux 2.2/2.4/2.6
% sudo ./detect.py -i eth0 -O 192.168.222.26
WARNING: No route found for IPv6 destination :: (no default route?)
192.168.222.26 : promiscuous mode card detected
probably: Windows 2k/NT4

A full paper on how it works is there. Great tool, isn’t it ?

Introduction to network attacks : Physical Layer

That will be a short article, mainly because of two things. First, some methods are beyond my knowledge, involving electronics or hardware manipulation. Second, such methods are not efficient compare to higher level ones, and so rarely used.

The mere concept of a physical attack implies that you have a direct physical access to your target, giving you the ability to modify it as you wish.
This is an ideal situation for an attacker, not quite common. And in that case, there is nothing much to be done on the defensive side.

Continue reading