ARPFreeze is a nice GUI for Windows that allows to configure static ARP entries very easily, and makes these changes persistent after reboot.
Thus does it protect the client machine against ARP flooding.

It works for both Windows Vista and prior versions (support of arp -s and netsh).

JC :: Jun.08.2009 :: Defense, Security, System, Windows :: No Comments »

Detectpromisc is a python script based on Scapy, that allows to detect if a computer is sniffing the network.

By nature, it is quite difficult to detect if a machine is sniffing, because it operates passively, receiving all packets from the wire but, normaly, answering only to packets destinated to itself.

There are however several methods that make the detection possible.

Some are based on the latency, because in promiscuous mode a machine will take more time to answer (packets have to be processed by the kernel, not the network card only).

Another imply to generate some tricky packets, with a correct IP but a wrong MAC address. The machine should answer only if it is in spoofing mode.

It is also possible to use source-routing with a host on the path that doesn’t route. If an answer comes back anyway, the target is sniffing.

Other methods are implemented by IDS and based on the volume of DNS requests.

Most of these methods are not necessarily reliable, easy to implement. All the ones based on IP routing are quite easy to workaround by the attacker.

Detectpromisc works exclusively at the ARP level.

According to the OS, it sends out some specific ARP packets (multicast, fake broadcast…).

In normal mode, the network card will discard theses illegitimate packets : they call it the hardware filter.
In promiscuous mode, there is no hardware filter : packets reaches directly the kernel (software filter).

Of course, according to the OS, the kernel will behave differently, but some tricked ARP packets generated by Detectpromisc will cause the sniffing machine to send an answer.

It is therefore possible to differenciate a sniffing machine from a normal machine. Plus, as it is quite reliable and OS specific, it is possible to fingerprint the target.

In practice, it has worked very well so far :

% sudo ./detect.py -i eth0 -O 192.168.222.25
Scan right index finger on UPEK TouchStrip
WARNING: No route found for IPv6 destination :: (no default route?)
192.168.222.25 : promiscuous mode card detected
probably: Linux 2.2/2.4/2.6
% sudo ./detect.py -i eth0 -O 192.168.222.26
WARNING: No route found for IPv6 destination :: (no default route?)
192.168.222.26 : promiscuous mode card detected
probably: Windows 2k/NT4

A full paper on how it works is there. Great tool, isn’t it ?

JC :: Jun.01.2009 :: IDS / IPS, Scanning / fingerprinting, Security :: No Comments »

Let’s continue our small review of network attacks, by checking this time some typical attacks on the network layer. There are the most known examples of what can be done.
Continue Reading »

JC :: Oct.12.2008 :: Hacking :: No Comments »

DecaffeinatID is a tool for Windows that can be very useful against ARP attacks.

JC :: Aug.27.2008 :: IDS / IPS, Windows :: No Comments »

That will be a short article, mainly because of two things. First, some methods are beyond my knowledge, involving electronics or hardware manipulation. Second, such methods are not efficient compare to higher level ones, and so rarely used.

The mere concept of a physical attack implies that you have a direct physical access to your target, giving you the ability to modify it as you wish.
This is an ideal situation for an attacker, not quite common. And in that case, there is nothing much to be done on the defensive side.

Continue Reading »

JC :: Aug.24.2008 :: Hacking, Network, Protocols :: No Comments »