Arp posioning? What is it

Got cain and able loaded on my computer and trying to mess with the other computers on the internal network and I noticed it has a feature to arp poison, I've heard this term before but I wouldn't mind to learn what it is.

Anyone ever play with this? Tell me some tricks

-fin

You use ARP poisoning to sniff packets off a switch.

ARP is used to translate between link layer MAC addresses and IP addresses. If I want to send something to 10.0.0.1(call it PC1) on my local network, and PC1 isn't already in my ARP table, I'll send out an ARP packet on the broadcast address FF:FF:FF:FF saying "Who is 10.0.0.1?" When PC1 hears it, it responds with an arp packet sent directly to me saying "I am 10.0.0.1 and my MAC address is blahblahblah". Because there is no authentication, anyone can respond, not just the computer who really is PC1. So, evildude at 10.0.0.2 can redirect all of PC1's inbound Internet traffic to him by telling the router that he is PC1. He can also redirect all of PC1's outbound Internet traffic to him by telling PC1 that he is the router. Replace router with switch and it's the same thing for setting up man in the middle attacks across a switched local network, noting that he can use the broadcast address to talk to all clients on the switched network.This can be countered to some degree by manually entering static entries into the arp table, which won't be overwritten. But that's a pain in the ass and doesn't scale well.Check out http://packetstormsecurity.com/papers/protocols/intro_to_arp_spoofing.pdf for more.

In summary, the 'inherent' security of a switch has been reduced to the
equivalent of a hub, as you can play man-in-the-middle and sniff/
capture all the data off the wire.

Here's a little story:

When I was attending MSU, I had no less than a few hundred login/
passwords by leaving a sniffer on for a week, and would only filter for
'login/passwords' on plaintext authenticating protocols (POP3, Telnet,
FTP, etc). I had admin passwords that I shouldn't have had, including
the gopher admin. I 'defaced' the MSU gopher help page with an ascii
nude pic back before web defacements even existed (NCSA Mosaic was
the only browser at the time, and the URL's were pretty much all
academic).

That's why a switch is not a security device, and you should segment
your networks with a stateful packet filter, and for trusted zones you
do not allow unsecured protocols.

*Gives warez a standing ovation*

Yao and warez are correct.

I love old school guys like warez. I wish I was around when there were only plain text browsers. Classique.

Thanks for the props fellas.

HH, Gopher is text based, but Mosaic had graphics even back then
(albeit primitive and few people used it).

Funny that I thought the www had promise back then as a cool
protocol to make an IP based BBS (I ran a dial-up BBS for about 5 years
before going to MSU). I never thought 'web browsing' would take over
the world the way it has. Back then, there was no search engine, and
you had to know the URL or find a link to it from the university's links.

When they opened up domain registrations (back then it was free), my
friend picked up beef.com and tobacco.com, while I let opportunity
pass me by. Needless to say, he's retired, and I'm still working.

a stroll down amnesia lane...





HAHA, beef.com

That's great.

I vaguely remember some of this stuff from using my mom's VAX account for the University when I was younger. I think I found the learning curve for the VAX system was too high when I had no other internet connection or any access to documentation.

was it running Berkeley Unix or VMS?

VMS, you could actually learn from the help pages, although probably not if you were a young'un.

He sold beef.com for a few hundred K $. Tobacco.com is still available
for $5 Million.

If you're interested, tell him Don sent ya. ;-)