From: Paul Melson (pmelson@gmail.com)
Date: Wed Dec 12 2007 - 16:58:18 EST
> I too have performed MITM attacks on my network with Cain & Able. Also
having grabbed a few
> HTTP and FTP passwords seeing that it was successful I now need to secure
my self against these
> attacks but how can I do this? Would static MAC mappings in my hosts files
do the trick?
If you own the network, limiting the number of simultaneous MAC addresses
any client port can have to 2 or less is the best way to stop APR attacks
like the kind Cain does. If you use Cisco switches, Google for 'switchport
security' and you'll find all of the docs you need to implement this
properly.
Editing your hosts file will protect you against DNS spoofing, but it does
nothing for MITM attacks, since if I can spoof IP traffic inline, I don't
need DNS.
If you are trying to secure your client machine against APR and you don't
own the network, your best bet is to use a static ARP entry (arp -s IP MAC)
for your default gateway. However, this won't stop APR from seeing return
traffic if it can fool the router. It also won't help you if the arp
spoofing attacker is there first, since getting a valid MAC for the default
gateway will be difficult. But the bottom line is that if the switch allows
it, your client can't really stop APR attacks. So when you think it's
possible that APR is being used on a network you are attached to, use
encrypted protocols that authenticate both endpoints.
PaulM
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:15 EDT