ARP poisoning/MITM attack prevention

[SawPer]

...it all started the other day when Irongeek posted his tutorial about nmap. Was really good. So then I browsed around on his website, looking for what all more stuff he had done. I saw one eye catching tutorial: Cain to ARP poison and sniff passwords

I had used Cain before to sniff passwords from a HUB, but had no clue about how easy it is with ARP poisoning and Man-in-the-middle attacks on a SWITCHed network, until I saw this tutorial where he shows how to do it in less than a minute.. ! I thought, maaan, that was way too easy to be true on any SWITCHed network. Decided to test it at work, and no, it's true alright, boy did it catch a bunch of passwords...!

So now I'm really concerned about the security at work. At our college we have a few thousands computers. Currently you can pick up passwords easily from pretty much anywhere...

What are all the options to secure and prevent one self from these kind of attacks???

I've tried to do some research and so far I've found this out:

1. You can "hardcode" all the MAC addresses on your network, but it's a big pain if you have a bigger network... This will make it a lot more secure, but there are obviously still ways around it...
2. Make sure ALL the communication on your network is using STRONG ENCRYPTION.
3. You can buy network devices that can detect (but not prevent) ARP/MITM attacks and then notify you about it... (anyone who can recommend something good?)
4. At first thoght you can only do this on the same local subnet you are connected to, but just found out it can be done on an internal network remotely, as long as the internal network has internet access... (which we do.. !)

This is really bad stuff! Could some of you give me more info about all this, and surely there must be a better way to protect one self against it... or??!

[Tiger Shark]

2. Make sure ALL the communication on your network is using STRONG ENCRYPTION.

Ahhh.... The double edged sword....

Allow only encrypted transmissions:

Pro: It makes many attacks fail simply because the information required to assist the attacker in the attack is no longer available to him without a serious commitment to cracking the keys that will require substantial computing power and time.

Con: As a system admin I can't see what is going on on the network. All traffic monitors show the same thing, (encrypted traffic), and IDS' simply don't work.

Allow only unencrypted transmissions:

Pro: I can watch you. I can see everything that happens. My IDS' and other monitors work so I can detect the anomolous traffic and mitigate it.

Con: The attacker who gains a foothold can sniff the traffic the same as I can and exploit the information gained more easily...

Hmmm.... What to do?

My opinion: If you can't see the traffic you can't understand it. If you can't understand it then you can't detect the intrusion. Thus, you have to be able to see the traffic.... Run the trusted network unencrypyed, watch for encrypted streams and validate them or kill them.

[nebulus200]

Think one of your best ways to combat this would be through port security (which is what you mentioned when you said statically enter everyone's MAC). What you are essentially doing is telling a switch that on that port, only this one MAC is authorized to use it. Can be very work intensive to do it and alot of work to maintain it. I am not sure about other vendors, but Cisco does offer an in between that allows you to set a maximum # of MAC addresses for a port and another setting that prevents a system on that switch from receiving broadcast/multicast traffic.

Anyway, the first option should work for you. Simply set the max # of MAC addresses per port to 1 and then any arp spoofing will fail because you would have more than one MAC address there...

[ammo]

Couple of things:

First it needs to be mentionned that strong encryption itself isn't the silver bullet when it comes to man in the middle attack: while the encryption itself is strong, the weakness is in the key exchange and authentication. For example, it's possible to conduct a MITM on SSL and SSH connections and if the user ignores the warnings from the browser/ssh client that the certificate is invalid or that the host fingerprint is wrong, you'll be able to sniff the session....
So it's only strong *mutual*authentication, combined with strong encryptiong that really aleviates this problem.

As for prevention mesures you can:
-as nebulus mentionned, use port security on your managed switches. The easiest way to set this up is to run the network in a known trusted state first, let the switch build it's MAC table and then freeze the MAC table on the switch.

-use port level authentication with 802.1x

-use the arpwatch software to monitor ip/mac associations on the network.

Other than that I'm not aware of much more that can help...


Ammo

[SawPer]

Thanks a lot guys!!
As always, very good advices!!

Btw, are there any arpwatch programs for windows that monitors the network?

Oh, and what about the "rumor" about beeing able to do MITM attacks remotely over the internet...? Is that really possible? Have read/heard both ways; can't be done, cause the routers cuts the MAC's off, but also heard it still is possible, just never heard how you could make it possible...

Thanks again!

[thehorse13]

Oh, and what about the "rumor" about beeing able to do MITM attacks remotely over the internet...?

In theory, yes, however technically it is a very difficult process to get setup and working correctly. If you have a basic understanding of routing, you'll quickly come to this conclusion.

[SawPer]

Been testing and playing with it some more, and just discovered something new I haven't heard about before.

We went to the Bread CO to see how they address users being able to MITM attack other wireless users. And they actually have something different in place!

When using Cain, AP and the whole IP range available for users, all IP's already had "ghosted" MAC addresses, they all had the same MAC, if they were in use or not.

I have never heard of this "solution" before. Anyone who knows more about it, and how effective it really is?

Without any further "hacking" we weren't able to execute any successful MITM attack.

[Striek]

Alright, unless someone can actually tell me how this works, I don't believe it's possible now.

I have a scenario which may accomplish this:

The nearest router to the workgroup switch runs a layer 2 firewall, altering the MAC addresses on all outgoing packets to be the same. The workgroup switch is actually a layer 3 switch, and does not rely on MAC addresses to switch traffic.

Packets travelling from workstations to the nearest router would then bear the MAC address of whatever the layer 2 firewall is altering them to be. This MAC address would of course be irrelevant as the workgroup switch switches based only on IP addresses.

Now, all the workstation NICs must be placed into promiscuous mode, either through some network setting of which I am unaware, or by jumper settings on the card itself, if such cards exist. The network stack on each workstation should then recieve traffic routed and switched by IP address alone, and ignore MAC addresses.

Would this work?

[Double//Cut]

"Btw, are there any arpwatch programs for windows that monitors the network?"

ettercap for windows (linux port, but seems to be half decent in functionality, not sure on XP anymore, but server's should be fine, not sure how ettercap uses raw sockets in windows), can detect machines running network cards in promisc, and can display who's running mitm attacks (not sure exactly how this works)

other than that, Snort IDS can detect an ARP Spoof and kill the connections, also a port to windows

[thehorse13]

I read through this post again and I was a little concerned with the sound of how easy this technique is advertised by someone who tried it. I was left with the same feeling I get when I watch those chuckle heads wax cars that have been in the junkyard using the miracle deluxe space age car wax...."Anyone can do this folks....it's simple!"

That said, IMPORTANT SAFETY NOTE:

While this app and others such as frag router allow you to ARP poison and route traffic through your box, if you attempt this a on an enterprise WAN (and you have no idea what you're up to) with a simple desktop or laptop, it's very likely you're going to DoS the place in record time. I can assure you that if your IT staff is half way decent you are going to get a visit very quickly. If you are going to play with this, be very careful as the end results may land you a fabulous position at McDonalds.

One last thing, every Cisco device with a newer IOS can prevent ARP poisoning. All of mine are set to do this.