No announcement yet.

Preventing ARP and DHCP Spoofing on Cisco Switches

این موضوع بسته شده است.
  • فیلتر کردن
  • زمان
  • نمایش
Clear All
پست های جدید

  • [آموزش] Preventing ARP and DHCP Spoofing on Cisco Switches

    I see a lot of "How Do I" type posts and I'm reading those and learning but I'm also interested in how to prevent these types of attacks as well. I have always been curious how people "****" into things and after playing with the Backtrack software for a week I see just how easy it is!

    I have been especially interested in MITM attacks using ARP Poisoning and DHCP Spoofing to trick computers into sending traffic your way so you can capture the data and then re-forward it to where its going. Its really eye opening and I'm fascinated. Following the How To with Ettercap in the other threads I was able to capture my gmail and other passwords.

    So now I think about it from a Network Admin view and how do I stop someone from doing these attacks on my Network? I have a decent lab at home for doing Scenarios and thought I would share. I suppose if you are still reading you are interested?

    The first thing you want to do is setup IP DHCP SNOOPING on the switch. It builds this Binding table by watching the DHCP Process take place. The Client comes up and sends a DHCP Discover Broadcast looking for a DHCP server. The switch forwards this to a DHCP server (if not on the local network) which replies with an offer, the client then asks to use the offer and the DHCP server responds. The switch is watching this and takes the Mac and IP and the Port number on the switch and places it into a Binding Table.

    I'm using a 3550 Cisco Switch, a Macbook Pro as my "Normal User" and a Dell D410 running BT3 Beta. Switch commands are in Bold.

    3550(config)#ip dhcp snooping

    3550(config)#ip dhcp snooping vlan 1

    This enables dhcp snooping globally and enables it on the vlan 1. By default all switchports are untrusted. Meaning the switch will not accept any DHCP Offers on an untrusted port. You will want to trust the port your DHCP server is connected too. If you are using IP Helper-Address to forward DHCP Broadcasts then you don't have to do anything. Now I startup my laptops, then get IP's through DHCP and I can look at the binding table to confirm that its working.

    3550#sh ip dhcp snooping binding
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    ------------------ --------------- ---------- ------------- ---- --------------------
    00:16:CB:97:3E:33 105167 dhcp-snooping 1 FastEthernet0/3
    00:12:3F:22:09:14 105248 dhcp-snooping 1 FastEthernet0/5
    Total number of bindings: 2

    My MBP (MacBookPro) is plugged into FA0/3 and my BT3 Laptop is plugged into FA0/5. Both ports by default are untrusted, so either of them tried to respond to a DHCP Request by another device coming online the port would be put into err-disabled state and shutdown. This will stop anyone from running a DHCP server unless its on a trusted port.

    Now what about ARP Poisoning? The switch uses the same binding table so you need to have IP DHCP Snooping enabled. Then you enable ARP Inspection.

    3550(config)#ip arp inspection vlan 1

    It works the same with trusted and untrusted ports. Untrusted ports much match the binding table, trusted ports will allow anything in.

    So now that ip arp inspection is enabled what happens when you try to run ettercap? You start it up and scan for hosts right? Scan For Hosts. It runs and it doesn't come with anything. Then you notice that your network connection is offline. Hmmm What happened?

    Looking at the switch console.

    Mar 26 23:42:51.873: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 252 milliseconds on Fa0/5.
    Mar 26 23:42:51.873: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa0/5, putting Fa0/5 in err-disable state
    Mar 26 23:42:52.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
    Mar 26 23:42:53.881: %LINK-3-UPDOWN: Interface FastEthernet0/5, changed state to down

    Notice the SW_DAI-4-PACKET_RATE_EXXCEEDED there? When you turn on ARP Inspection is only allows 15 ARP PPS on an untrusted port. When you start scanning for hosts in ettercap is just sends out a bunch of ARP requests to every IP address on the local network. Those that respond it knows are alive.

    If ARP inspection is enabled on the switch you are now turned off and done for exceeding the rate limit allowed. You can modify this to whatever you want, 15 is the default.

    But what happens if you do the scan slowly or you already have a list of hosts that you want to poison? You don't need to send out a bunch of ARP requests so the port wouldn't shut down right?

    So you have your list and you go to MITM and choose ARP Poisoning. It works and you sit there and wait for traffic. Although none comes... Hey what gives!

    On the switch console..

    Mar 26 23:47:44.087: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Fa0/5, vlan 1.([000c.85a3.e080/ UTC Wed Mar 26 2008])
    Mar 26 23:47:44.087: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Fa0/5, vlan 1.([000c.85a3.e080/ UTC Wed Mar 26 2008])
    Mar 26 23:47:45.087: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Fa0/5, vlan 1.([000c.85a3.e080/

    The switch notices that you are trying to send out an ARP reply with a Mac/IP that doesn't match the binding table. The switch drops this packet because the MAC and IP you are sending out do not match what the switch saw when the machine with that IP pulled a DHCP address.

    If you try to Poison more than 15 hosts a second it will err-disable the port and shut you down.

    You can go even further and tell the switch Validate each ARP packet, matching the Source Mac, Dest Mac, and/or IP inside the Frame to the Ethernet Header! If they don't match, drop.

    3550(config)#ip arp inspection validate dst-mac src-mac ip

    Pretty Cool Stuff!! There are lots of other options but this is the idea behind preventing this. I had a lot of fun and learned a lot today messing with this. I think just having these few commands setup on your switches would annoy the hell out of Pen testers trying to take advantage of these attacks.

    Quick Edit -

    If you try to log on with a Static IP you won't be able to ARP anything because you don't have a binding in the snooping database. If you have static servers for instance you can do this to allow them to work.

    3550(config)#arp access-list servers

    Create an ACL, I called it "servers"

    3550(config-arp-nacl)#permit ip host mac host 000c.2957.6b39 log

    This will permit a host with an IP of and a Mac of 00-0c-29-57-6b-39 to arp on the network.

    3550(config)#ip arp inspection filter servers vlan 1

    Then this adds the filter to vlan 1. Anything matching in the ACL is allowed. If you come online with a static ip and are not part of the ACL you can't ARP and will go no where.
در حال انجام ...