# Ettercap, Arpwatch, security - argh!

## Herodot

Hi,

there are about 50 apartments in my building, and we share an internet connection. We have a LAN with switches and a router/gateway/NAT. It works quite well. Or so I thought... Last night I discovered, to my horror, that from my machine I can sniff everybody's passwords to mail and chats and whatnot, using Ettercap. Through switches. Not good, not good at all. There are forums for Ettercap, but they are mostly concerned with telling everybody that no systems are safe and to RTFM. So I turn to the much nicer Gentoo forums.

1) Ettercap (apparently) work by arp-spoofing (or mac-spoofing or dns-spoofing if that fails...). I'm not too sure exactly how, but setting a "static arp" should help. How do I do that for my Gentoo box?

2) That won't resolve the problem, which I think is that our gateway (a hardware box of some sort, not a computer) is arp-spoofed. So I think we need a computer to act as a gateway/DHCP/NAT/whatever, and give that a static arp. Is that correct?

3) Until that is done, the program Arpwatch can help alerting me if somebody is sniffing our net. Right? There is close to no documention for Arpwatch, but I think it can mail me if it detects foul play - right? Do I need to set up a smtp server on the machine running arpwatch, or how does that work?

4) What can I read to learn about these things? (free, online stuff much preferred)

5) What else can I do?

----------

## Supermule

 *Quote:*   

> 
> 
> 1) Ettercap (apparently) work by arp-spoofing (or mac-spoofing or dns-spoofing if that fails...). I'm not too sure exactly how, but setting a "static arp" should help. How do I do that for my Gentoo box?
> 
> 2) That won't resolve the problem, which I think is that our gateway (a hardware box of some sort, not a computer) is arp-spoofed. So I think we need a computer to act as a gateway/DHCP/NAT/whatever, and give that a static arp. Is that correct?
> ...

 

Well, basically u got the point...disabling arp-sppofing doesnt help much. Most hackers have software that will attack using all kinds of methods...arp-spoofing just being one of them. You dont tell what kinda router u have, but it sure looks like it isnt a firewall at all. So u should definately get yourself a Firewall. 

The guys you allready spoke to (the rtfm ones) does have a very important point: NO system is 100% safe...but we can certainly do our best  :Smile: 

U can use any Linux-dist (incl Gentoo) to setup such a feature using ipchains. Basically for your specific problem (spoofing of some sort) u would setup filters like (note Ext_Intrface and such is variables in the filtersetup):

```

# Avoid 'spoofing' - deny packets with a local IP coming in on Ext_Intrface

/sbin/ipchains -A input -i $Ext_Intrface -s $Int_Nw -d $All_Adr -l -j DENY

# Avoid 'spoofing' - deny packets with our Local_IP coming in on Ext-Intrface

/sbin/ipchains -A input -i $Ext_Intrface -s $Local_IP -d $All_Adr -l -j DENY

# Avoid 'spoofing' - deny packets with 0.0.0.0 coming in on Ext-Intrface

/sbin/ipchains -A input -i $Ext_Intrface -s 0.0.0.0 -d $All_Adr -l -j DENY

```

Besides all basic stuff in iptables....

However...this (in my view) isnt enough. U should also get some software to sniff your networks gateway...thus closing (hopefully) attacks on the gateway's OS and/or trojans on work. There are a couple of software packages outthere that can do such things. Search on IDS (Intrusion Detection Systems) on Google and u will find a lot  :Smile:  - I use snort which is quite effective and freq. updated in methods.

If you think: Omg...I dont wanna get into details with this, I'd recommend a distro that has all the basic functionalities...After trying lots of those, I ended up with Smoothwall...Its a dedicated FireWall Distro that has it all imho. Its well documented and its very stable...Updates to the system (IDS/Firewall) is done via web-interface easy...

U can d/l it here: 

http://www.smoothwall.org

Hope it helps you out a bit...

EDIT: If u decide to take on ipchains for yourself, try 'man ipchains', and read /usr/doc/HOWTO/IPCHAINS-HOWTO. Also search google for sample scripts...there are a lot of them on the net.

----------

## Herodot

Hi,

thank you for your answer.

My main concern isn't attacks from the outside. Our common NAT doesn't allow anything incoming, so that's probably reasonably secure.

My problem is that everybody on the inside can simply run Ettercap and get everybody's mail passwords and more.

Running arpwatch will likely tell if anybody is arpspoofing, but I don't know how to get arpwatch to let me know if that is happening. I can do "grep arpwatch /var/log/everything/current" and try to understand what's happening, but I can't spend all my time doing that.

Getting some sort of automated supervision of the network is my first priority.

----------

## bryon

I know that ettercap has a plugin that can monitor for arp poising, an you will get a little notice on the screen if the arp cache is poisoned.

----------

## CinqueX

The only real solution for you is to avoid un-encrypted services. It's time to migrate to sftp/imapd-ssl/pop-ssl/https etc etc.  you are fairly screwed unless you can convince your ISP admin to plug you directly into an isolated switch port.  It sounds like you might be plugged into just a dumb hub and are seeing all traffic on your segment.

Ettercap isn't the only tool, you are vulnerable to any packet sniffer, or net i/f in promiscuous mode.

Regards,

C.

----------

## Herodot

OK, I'll repeat in simpler terms:

I'm on a switched network.

Ettercap can do arp spoofing, and it can collect pop3 passwords from everybody on the network.

Arpwatch can possibly monitor the arps tables. It may be able to alert me if somebody tries to run Ettercap.

Can anybody help me with Arpwatch? There's no documentation.

----------

## BlueShift

Hi,

Sorry, can't help you with Arpwatch, I havn't used it.

Setting a static arp table on the gateway will prevent this man-in-the-middle attack (I think, only learned about this problem last week so I am not reaaly an expert on the subject) But I think it will also prevent someone from changing [his/her] [network card/computer] so maybe this creates more problems than it solves.

The advise on the Ettercap forums may not be what you want to hear but I think it's the best advise there is. If you want security, be paranoid.

CinqueX also has a good point, there is no excuse for sending unencrypted passwords over a network.

Sorry if this in not very helpfull.

Greetings,

Jan.

----------

## barlad

Indeed setting up a static ARP table is not a viable option as soon as you have a lot of computers on which you have barely no control. As soon as someone wants to change his IP local adress for whatever reason, or even if he changes his network card, you have to update the cache. If one uses does it once a week, that's fine... if 50 users do it once every 2 day, that's less "fine".

Second solution someone stated is to make it so that you are on your own port. That won't work. All you have to do is some MAC adress spoofing to get some of the traffic redirected. That's easily spottable but if the admin does not pay much attention or has no specific software warning him, it will go through without a problem. Same problem if the switch is not properly configured or has no security.

Third solution, arpwatch. Arpwatch can only monitor its own segment of the local network. It's pretty straight forward to set-up. To get the documentation, grap the tarbal, untar it, install the package manually (./configure && make && make install) then isntall the docs : make install-man. You will have arpwatch and arpsnmp documentations. You will get all the changes in IP adress and MAC adress that were done to the cache. I can think of a few ways to bypass it though.

Like someone said, there is only one solution to this problem: encryption. Everything should be crypted. That would solve 90% of the problems.

oh about setting a static ARP to the gateway. That would only solve a part of the problem. MAC spoofing would still work to get the incoming traffic (again, easily spottable)

----------

## paranode

If the switch you are on is operating in spanning tree mode (ie acting like a hub) due to too much traffic or whatever, then even static ARP assignments won't help your case.  Anyone can run a program like Ethereal and watch traffic sent out over the ether.  I am on a switched network myself but once in a while the switch goes into spanning tree mode because of traffic volumes and you can see when it happens if you are watching the traffic.  So it's strongly advised to avoid cleartext password and sensitive data transmission if it can be avoided.

----------

## Herodot

 *barlad wrote:*   

> Indeed setting up a static ARP table is not a viable option as soon as you have a lot of computers on which you have barely no control. As soon as someone wants to change his IP local adress for whatever reason, or even if he changes his network card, you have to update the cache. If one uses does it once a week, that's fine... if 50 users do it once every 2 day, that's less "fine".

 

If this would increace privacy I'd do it. I don't think there'd be too many new new computers, and people would simply have to wait for me to get things done. Would this completely eliminate arp spoofing? Wouldn't mac spoofing ruin this effort?

 *barlad wrote:*   

> Third solution, arpwatch. Arpwatch can only monitor its own segment of the local network.

 Really? But running it on a machine somewhere on the lan seems to notice if the gateway mac address changes.

 *barlad wrote:*   

> It's pretty straight forward to set-up. To get the documentation, grap the tarbal, untar it, install the package manually (./configure && make && make install) then isntall the docs : make install-man. You will have arpwatch and arpsnmp documentations.

 "emerge arpwatch" should do that, I think.

 *barlad wrote:*   

> You will get all the changes in IP adress and MAC adress that were done to the cache. I can think of a few ways to bypass it though.

 But only for the local segment?

 *barlad wrote:*   

> Like someone said, there is only one solution to this problem: encryption. Everything should be crypted. That would solve 90% of the problems.

 Microsoft Messenger uses a MD5 challenge. Ettercap can pick it up, and another program (I forgot the name) can brute force the password. The remaining 10% are still important.

 *barlad wrote:*   

> oh about setting a static ARP to the gateway. That would only solve a part of the problem. MAC spoofing would still work to get the incoming traffic (again, easily spottable)

 Right, but at least the most simply procedures on the inside wouldn't show all pop3 passwords.

So, the solution seems to be: get the network as secure as possible (static arps and such), and monitor the hell out of the traffic.

Get the network as secure as possible:

Static arp table (as opposed to DHCP?) on the gateway/router. This I can probably do on the hardware box, but a dedicated computer would be more flexible in the longer run. What else?

Monitor traffic:

A central computer is probably necessary, acting as router/gateway/arp/whatever. Which programs should I use? I can't very well study all traffic with Ethereal, I need automation. I need to be emailed when strange things happen, or something like that.

 *paranode wrote:*   

> If the switch you are on is operating in spanning tree mode (ie acting like a hub) due to too much traffic or whatever, then even static ARP assignments won't help your case. Anyone can run a program like Ethereal and watch traffic sent out over the ether. I am on a switched network myself but once in a while the switch goes into spanning tree mode because of traffic volumes and you can see when it happens if you are watching the traffic. So it's strongly advised to avoid cleartext password and sensitive data transmission if it can be avoided.

 I've also run into this. How do you detect when it happens? Does the switch itself go back to acting like a switch? What kind of switch is secure from this?

----------

## barlad

 *Quote:*   

> If this would increace privacy I'd do it. I don't think there'd be too many new new computers, and people would simply have to wait for me to get things done. Would this completely eliminate arp spoofing? Wouldn't mac spoofing ruin this effort? 

 

It should eliminate arp spoofing completly under one condition: your gateway (pc or dedicated box) is immune to bugs that allow you to modify a static ARP adress. Some version of windows and a few other OS have a few bugs which let some special ARP packets update the static adress.

I am not an expert in this so there may very well be some other strategies which still allow ip/arp spoofing. That's why in any case encryption is the way to go. That said, static ARP adress are already a big step towards an improved security.

Mac Spoofing won't ruin the effort, the point of MAC spoofing is that you can get the traffic dedicated to a machine by having it sent on your segment so that you can sniff it. But for that, you have to DoS the target first. All of this can't bypass the vigilance of a good admin. If you are monitoring your network closely, it will be noticed for sure.

 *Quote:*   

> Really? But running it on a machine somewhere on the lan seems to notice if the gateway mac address changes. 

 

The only thing ARPwatch does is put the network card in promiscuous mode and then grab all the ARP packets that it sees. It looks at the requests/answers, keep an up-to-date arp table and report all the modifications. I don't know yet how circulation of ARP packets works (i.e if an ARP request from Segment A would reach the PCs of Segment B or only the switch of Segment B) so I cannot give you a sure answer but you may not be able to watch all the PCs with arpwatch. Hopefully, someone more knowledgable will confirm or deny.

 *Quote:*   

>  "emerge arpwatch" should do that, I think.

 

Nah, I tried and apparently it did not install docs. That's why I told you that  :Smile: .

 *Quote:*   

> Microsoft Messenger uses a MD5 challenge. Ettercap can pick it up, and another program (I forgot the name) can brute force the password. The remaining 10% are still important. 

 

True but breaking a MD5 hash of a password longer than 9 letters takes a WHILE - unless you have access to some sort of ultra computer. Most people would give up before going that far I think.

 *Quote:*   

> So, the solution seems to be: get the network as secure as possible (static arps and such), and monitor the hell out of the traffic.

 

Exactly. Static ARPs, up-to-date software, a regular checking of new released exploits,some monitoring tools -arp watch is a good start-, and encryption wherever it is possible.

Those few things will stop most people from getting anything off your network, especially script-kiddies. Unless some ultra sensitive information go through your network, no one will take the time to break through that and brute force some encryption schemes.

Dedicated computer would be indeed more flexible to manage that. I would run it under linux. (no anti windows or anti-other os feeling there, it's something totally subjective but I do consider linux more secure or at least more easily secured)

- ARPWatch will send you daily e-mail reports about changes in the ARP table. 

- Any Firewall/dedicated log parser will send you reports about possible intrustion either from outside or from inside (if you have any rule concerning your local network and access to the internet).

- IDS (intrusion detection) software will report you any problem aswell.

- You may add a traffic monitor in order to detect, amongst other things, possible Denial of Services.

My number one strategy would be to keep things as simple as possible. Keep the number of stuff installed on your monitors/gateways/firewall to the minimum. It reduces bugs, it reduces exploits, it reduces the headache to administer all of that. 

The simpler, the better.

Sorry for the poor english and keep in mind that I am not an expert at all so I may be totally wrong on some points. Hopefully, someone will correct me if that's the case  :Smile: 

----------

## Herodot

 *barlad wrote:*   

> It should eliminate arp spoofing completly under one condition: your gateway (pc or dedicated box) is immune to bugs that allow you to modify a static ARP adress. Some version of windows and a few other OS have a few bugs which let some special ARP packets update the static adress.

 Well, security is only as good as the weakest software on the system. Gentoo will do.

 *barlad wrote:*   

> I am not an expert in this so there may very well be some other strategies which still allow ip/arp spoofing. That's why in any case encryption is the way to go. That said, static ARP adress are already a big step towards an improved security.

 Just to get this completely clear: a static arp table means no random IPs assigned by DHCP, but a static IP number for each MAC address. Right?

 *barlad wrote:*   

> Mac Spoofing won't ruin the effort, the point of MAC spoofing is that you can get the traffic dedicated to a machine by having it sent on your segment so that you can sniff it. But for that, you have to DoS the target first. All of this can't bypass the vigilance of a good admin. If you are monitoring your network closely, it will be noticed for sure.

 Good point. If two machines has the same MAC, what happens?

 *barlad wrote:*   

> The only thing ARPwatch does is put the network card in promiscuous mode and then grab all the ARP packets that it sees. It looks at the requests/answers, keep an up-to-date arp table and report all the modifications. I don't know yet how circulation of ARP packets works (i.e if an ARP request from Segment A would reach the PCs of Segment B or only the switch of Segment B) so I cannot give you a sure answer but you may not be able to watch all the PCs with arpwatch. Hopefully, someone more knowledgable will confirm or deny.

 It can see when somebody steals 192.168.1.1 (the gateway).

 *barlad wrote:*   

>  *Quote:*    "emerge arpwatch" should do that, I think. 
> 
> Nah, I tried and apparently it did not install docs. That's why I told you that .

 I know, I tried it. But it should. Anyway, /usr/portage/distfiles/arpwatch-2.1a11.tar.gz/arpwatch-2.1a11/arpwatch.8 has the info, which isn't much.

 *barlad wrote:*   

>  *Quote:*   So, the solution seems to be: get the network as secure as possible (static arps and such), and monitor the hell out of the traffic. Exactly.

 Damn.

 *barlad wrote:*   

> Static ARPs, up-to-date software, a regular checking of new released exploits,some monitoring tools -arp watch is a good start-, and encryption wherever it is possible.
> 
> Those few things will stop most people from getting anything off your network, especially script-kiddies. Unless some ultra sensitive information go through your network, no one will take the time to break through that and brute force some encryption schemes.

 Yes, I agree. But I'm mostly concerned with what happens on the inside.

 *barlad wrote:*   

> 
> 
> - ARPWatch will send you daily e-mail reports about changes in the ARP table. 
> 
> - Any Firewall/dedicated log parser will send you reports about possible intrustion either from outside or from inside (if you have any rule concerning your local network and access to the internet).
> ...

 Sound good. Looks like I'll have something to do...

 *barlad wrote:*   

> Sorry for the poor english and keep in mind that I am not an expert at all so I may be totally wrong on some points. Hopefully, someone will correct me if that's the case 

 Your english is much better than necessary!

And it's great that you (and I) are discussing this stuff even if we're not experts. It'll draw the attention of the real experts, and possibly throw light on weaknesesses in Gentoo. There's a lot of traffic in Networking & Security, this is an important area.

Thank you!

----------

## paranode

 *Herodot wrote:*   

> 
> 
>  *paranode wrote:*   If the switch you are on is operating in spanning tree mode (ie acting like a hub) due to too much traffic or whatever, then even static ARP assignments won't help your case. Anyone can run a program like Ethereal and watch traffic sent out over the ether. I am on a switched network myself but once in a while the switch goes into spanning tree mode because of traffic volumes and you can see when it happens if you are watching the traffic. So it's strongly advised to avoid cleartext password and sensitive data transmission if it can be avoided. I've also run into this. How do you detect when it happens? Does the switch itself go back to acting like a switch? What kind of switch is secure from this?

 

Yes it operates like a switch most of the time and only switches to spanning tree mode when it can't handle the individual routing of all the packets.  There probably isn't a switch that is completely immune, but the more memory it has for these kinds of things the better.  To be completely secure from this you'd have to choose to drop the packets instead of turning into a hub and sending them everywhere.

Ethereal will show the packet type/protocol I think as a spanning tree message.

----------

## Herodot

"Harry Potter has caught the switch!"

 *paranode wrote:*   

> Yes it operates like a switch most of the time and only switches to spanning tree mode when it can't handle the individual routing of all the packets.  There probably isn't a switch that is completely immune, but the more memory it has for these kinds of things the better.  To be completely secure from this you'd have to choose to drop the packets instead of turning into a hub and sending them everywhere.
> 
> Ethereal will show the packet type/protocol I think as a spanning tree message.

 

So I'll need a fancy programmable switch, not the cheap ones we're using now.

Can you tell me more about using Ethereal for this kind of thing? I'm no expert, and Ethereal is pretty complicated for me.

 *paranode wrote:*   

> "Gentoos are the fastest underwater swimming bird, reaching speeds of 36 km/h (22.3 mph)." -BBC Nature Wildfacts

 I'm nitpicking, but there's something wrong with "underwater swimming" - I mean, where else would it swim?

----------

## barlad

"Theorically" MAC adress are unique. That's the theory since you can actually modify your MAC adress. 

Anyway, if two computers have the same MAC adress, if I may be rude, it's one of those time when you can say that "shit hits the fan".

Basically, switch will keep updating their CAM with new mac adress and traffic to the two concerned computers will be corrupted.

That's why you have to DoS the target before doing some MAC spoofing so that it can't send traffic and get the CAM updated.

----------

## paranode

 *Herodot wrote:*   

> 
> 
> Can you tell me more about using Ethereal for this kind of thing? I'm no expert, and Ethereal is pretty complicated for me.

 

Hmm well you basically do Capture->Start... and then choose an interface.  As for the specifics of what you find, I can only suggest reading some kind of FAQ or RFC on the TCP/IP protocol to learn more about how it works.

 *Herodot wrote:*   

> 
> 
> I'm nitpicking, but there's something wrong with "underwater swimming" - I mean, where else would it swim?

 

I don't think ducks and swans swim under the water do they?

----------

## purecaca

Herodot

Get some managed switches that support VLANS (recomend HP, cheaper/faster than cisco switches, if you just want to use VLANs)

Then give each apartment each own VLAN, and setup an gentoo box as firewall that listen on all the vlans (use vconfig to create the vlan interfaces (remember to compile 802.1Q vlan support in the kernel))

Works and works quite well

(i got something like that running with gentoo:

7xHP 24port managed switches, and then create an vlan trunk(might not be the right word for it) that caries all the VLANs to the gentoo box's internal nic), then just set up iptables to deny any traffic from any vlan to another vlan (using shorewall for simpler management of the iptables rules)

Then just give each vlan its own interface fx:

vlan5:   10.5.0.1/16    (the apartment can then use 10.5.* for its PCs)

vlan6:   10.6.0.1/16    (the apartment can then use 10.6.* for its PCs)

vlan7:   10.7.0.1/16    (the apartment can then use 10.7.* for its PCs)

vlan8:   10.8.0.1/16    (the apartment can then use 10.8.* for its PCs)

vlan9:   10.9.0.1/16    (the apartment can then use 10.9.* for its PCs)

vlan10: 10.10.0.1/16  (the apartment can then use 10.10.* for its PCs)

(you get the point, and should some of the users think of using one of the other aparments IP ranges, then they wont be able to access anything at all)

Then there is no way in hell other users can sniff any other users traffic  :Smile: 

(written in a hurry, maybe i should write a small howto on this in gentoo, so nice with VLANs in linux  :Smile:  )

----------

## fgarbrecht

That would be some monster Gentoo box to handle firewalling for 50 apartments, each on its own VLAN!

----------

## purecaca

actually not  :Smile: 

a decent P4/Celeron/Athlon + 2 Intel/3Com Server Nics (dont think it will work so great with cheap realtek cards though) would do just fine. (if we are talking about internet sharing (~ <100Mbit to internet)

----------

## fgarbrecht

I was thinking of an architecture where the firewall would be placed internal to the switch, in which case you would need a separate nic for each VLAN to control (deny) inter-VLAN routing, (which would require one heck of a PCI bus   :Shocked:  ).   I'm not sure how one would configure this otherwise to prevent one apartment from sniffing the traffic to/from another one.  You have to have some distribution point (multi-homed router/firewall, hub, switch or combination thereof) going out to each apartment.  If you're using a multi-homed box set up correctly, I can see how you could secure this as a firewall, but if the final embarcation point is a switch or hub, obviously sniffing becomes trivial.  What am I missing here   :Question: 

----------

## eagle_cz

set static arps on switch and be happy 

catalyst 2950 provide many interesting functions

----------

## purecaca

fgarbrecht

You cant just send all the VID on a single port and connect that to the firewall, i have done this and it works, it completely imposible to access the other VLANs (the firewall should ofcourse not route between the vlans (and the switch either))

Setup like

```

                          |--------|

Apartment1 (VID 10) ------|        |

Apartment2 (VID 20) ------| SWITCH |-----(All the VIDs tagged) -->Int FW iface -> Ext FW iface -> ISP  

Apartment3 (VID 30) ------|        |

                          |--------|

```

http://www.planetconnect.com/vlan/ has some great infomation about it.

----------

## fgarbrecht

purecaca

Hi - I was just concerned that an internal intruder could flood the switch; if the switch fails open, the vlans aren't of much use, and if the switch fails closed then the intruder has dos'd the network.

fg

----------

## purecaca

the users isnt on the same vlan as the switch management (often VID1), so cant see how that should be possible at all.

----------

## samokk

Try running snort, it has a plugin to check arp spoofing, etc.

then you can be notified by mail or whatever

sam

----------

## samokk

 *samokk wrote:*   

> Try running snort, it has a plugin to check arp spoofing, etc.
> 
> then you can be notified by mail or whatever
> 
> sam

 

oh, of course, I forgot... use SSL to securize your services.... :p

sam

----------

## AstroBoy

You could establish encrypted tunnels between the router and the desktops. I did this after I an "Hacker" plugged his laptop in my home network. SSH has these functionalities but may come a bit unhandy. I solved this by establishing an encrypted OpenVPN tunnel (emerge openvpn) between my router and my workstation.

The problem is that this won't work with Windows - which is used by your neighbours I assume. You could try (encrypted) PPTP tunnels which are considered insecure, but sniffing and encrypting should be at least a bit harder.

Another solution could be IPSec which is at least supported by the recent Windows O/S.

----------

