Friday, July 06, 2007

ARP Spoofing in Real Life

I teach various layer 2 attacks in my TCP/IP Weapons School class. Sometimes I wonder if students are thinking "That is so old! Who does that anymore?" In response I mention last year's Freenode incident where Ettercap was used in an ARP spoofing attack.

Thanks to Robert Hensing's pointer to Neil Carpenter's post, I have another documented ARP spoofing attack. Here a malicious IFRAME is injected into traffic by ARP spoofing a gateway. We cover that in my Black Hat class, both of which are now officially full.

Please remember that TCP/IP Weapons School is a traffic analysis class. I believe I cover the most complicated network traces presented in any similar forum. All you need to get the most out of the class is a laptop running a recent version of Wireshark. The class is not about demonstrating tools or having students run tools. Other classes do a better job with that sort of requirement. The purpose of this class is to become a better network security analyst by deeply understanding how certain network-based attacks work. I provide all of the information needed to replicate the attack if so desired, but that is not my goal.

12 comments:

dre said...

If somebody combined AttackAPI with these Ettercap filters or airpwn, they could own the whole browser. The "XSS Attacks" book covers this.

The only way to stop that sort of attack for sure would be to run a browser with no support of Javascript (Javascript turned off, or using NoScript may not be enough) -or- to make sure that all your browser traffic is encrypted by an IPSec tunnel, SSL VPN, or very similar encrypted method.

I guess this would be a good reason to stress the use of IPSec or SSL VPN for all outgoing connections while using WiFi, and possibly even on the LAN. The Cisco DAI feature prevents MITM attacks such as arp poisoning, but only under the right other conditions and configuration/environmental settings.

Dave Sutton said...

Hi Richard,
Since it looks like you're no longer going to be teaching "TCP/IP Weapons School", I was wondering if you had considered writing a book that covers the material found in the course. Unfortunately, I haven't been fortunate enough to attend any of your classes, but I'd definitely buy a book that covers this material. Just my $0.02 and good luck at GE.

Richard Bejtlich said...

Hi Dave,

I am considering writing a book called Hacking TCP/IP Illustrated covering these topics.

Dave Sutton said...

Awesome. Too bad it's so far away (end of 2008/beginning of 2009).

Anonymous said...

Richard, words can not express how sad I am that you apparently decided not to write a book on Sguil. I'm sure I'm not alone either, and I hope you end up changing your mind.

Richard Bejtlich said...

Anonymous,

I think a book on Sguil would be overkill. An ebook might work. However, I just don't have time for it now.

CG said...

any chance of you releasing any of those network traces to the public since you wont be teaching the class anymore?

Anonymous said...

There might be interest in video reproductions of your classes.

Chuck

Richard Bejtlich said...

CG,

I will probably post the traces to OpenPacket.org when the site is live.

Chuck,

I've considered video but the cost and time requirements are prohibitive.

Gaurav said...
This comment has been removed by a blog administrator.
Anonymous said...

Looks like there's another one to add to your list:
http://www.avertlabs.com/research/blog/index.php/2007/10/04/arp-spoofing-is-your-web-hosting-service-protected/

http://www.architectsban.webs.com said...
This comment has been removed by a blog administrator.