ARP Spoofing in Real Life
I teach various layer 2 attacks in my TCP/IP Weapons School class. Sometimes I wonder if students are thinking "That is so old! Who does that anymore?" In response I mention last year's Freenode incident where Ettercap was used in an ARP spoofing attack.
Thanks to Robert Hensing's pointer to Neil Carpenter's post, I have another documented ARP spoofing attack. Here a malicious IFRAME is injected into traffic by ARP spoofing a gateway. We cover that in my Black Hat class, both of which are now officially full.
Please remember that TCP/IP Weapons School is a traffic analysis class. I believe I cover the most complicated network traces presented in any similar forum. All you need to get the most out of the class is a laptop running a recent version of Wireshark. The class is not about demonstrating tools or having students run tools. Other classes do a better job with that sort of requirement. The purpose of this class is to become a better network security analyst by deeply understanding how certain network-based attacks work. I provide all of the information needed to replicate the attack if so desired, but that is not my goal.
Thanks to Robert Hensing's pointer to Neil Carpenter's post, I have another documented ARP spoofing attack. Here a malicious IFRAME is injected into traffic by ARP spoofing a gateway. We cover that in my Black Hat class, both of which are now officially full.
Please remember that TCP/IP Weapons School is a traffic analysis class. I believe I cover the most complicated network traces presented in any similar forum. All you need to get the most out of the class is a laptop running a recent version of Wireshark. The class is not about demonstrating tools or having students run tools. Other classes do a better job with that sort of requirement. The purpose of this class is to become a better network security analyst by deeply understanding how certain network-based attacks work. I provide all of the information needed to replicate the attack if so desired, but that is not my goal.
Comments
The only way to stop that sort of attack for sure would be to run a browser with no support of Javascript (Javascript turned off, or using NoScript may not be enough) -or- to make sure that all your browser traffic is encrypted by an IPSec tunnel, SSL VPN, or very similar encrypted method.
I guess this would be a good reason to stress the use of IPSec or SSL VPN for all outgoing connections while using WiFi, and possibly even on the LAN. The Cisco DAI feature prevents MITM attacks such as arp poisoning, but only under the right other conditions and configuration/environmental settings.
Since it looks like you're no longer going to be teaching "TCP/IP Weapons School", I was wondering if you had considered writing a book that covers the material found in the course. Unfortunately, I haven't been fortunate enough to attend any of your classes, but I'd definitely buy a book that covers this material. Just my $0.02 and good luck at GE.
I am considering writing a book called Hacking TCP/IP Illustrated covering these topics.
I think a book on Sguil would be overkill. An ebook might work. However, I just don't have time for it now.
Chuck
I will probably post the traces to OpenPacket.org when the site is live.
Chuck,
I've considered video but the cost and time requirements are prohibitive.
http://www.avertlabs.com/research/blog/index.php/2007/10/04/arp-spoofing-is-your-web-hosting-service-protected/