[ previous ] [ next ] [ threads ]
 
 From:  Steve Bertrand <steve at ibctech dot ca>
 To:  rgreiner <mrgreiner at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
 Date:  Wed, 29 Apr 2009 09:21:44 -0400
rgreiner wrote:
> Mohammed Ismail wrote:
>> With secondary IP option in LAN, and the last 5 commits in the
>> http://m0n0.ch/wall/repository.php
>>
>> I cannot wait to see b17
>>
>> ..
>>
>> And is there a way to integrate this in m0n0wall ?
>>
>> http://code.google.com/p/antinetcut
> Hi, does somebody know any interesting reference page explaining what
> exactly netcut does and how? 

Well, not necessarily specific to netcut, but for what it does:

http://en.wikipedia.org/wiki/ARP_poisoning

> All pages I could find speak about
> downloading netcut or anti netcut. I'm interested in neither. 

I personally use ettercap for these types of ARP Poisoning and MitM
penetration tests.

> What I
> would like is to know how to detect and trace someone using that thing
> in my network, so I could properly "deal" whith this individual.

Defense in depth and breadth helps with this. That is, depending on your
network, your switches/routers should watch and deny this type of
behaviour. Again, depending on your network, there are many ways to
prevent/find it:

- disable gratuitous arps (main mechanism for arp spoofing)
- disable proxy arp
- dhcp snooping with arp inspection
- put each port into it's own VLAN

etc etc.

Google for "Layer-2 security" and more specifically "arp spoofing" and
"man in the middle attack" to get far more details on how to
monitor/prevent this attack vector.

Steve

Disclaimer: I would highly advise against 'testing' this type of
software on a live production network. If you don't understand exactly
what is happening, the disruption can be quite long-lasting and widespread.