ETTERCAP - Jednostavan prirucnik

If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors! ETTERCAP - Jednostavan prirucnik - Protumjere

Ettercap Protumjere
Zadnje osvježenje: 07-05-2008

Tool
Install
Ergonomy
Forum

Detalji Što je Ettercap?
Preduvjeti i Instalacija
ARP Poisoning
"Man in the middle" napadi
Statistike
Protumjere

Croatian translation by Tomislav Marcinkovic.

If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!

Efektivna i uspje�na borba protiv ARP trovanja (poisoning) nije jednostavan zadatak, zbog toga �to ARP protokol ne pru�a mogucnosti za dokazivanje ispravnosti izvora dolaznih paketa.
Usprkos svemu, predla�emo neke metode za�tite Va�eg racunala protiv tih podmuklih podvala.

1. Staticki ARP 2. Alati za nadzor 3. Za�tita portova 4. Zakljucak

1. Staticki ARP

Staticki ARP znaci da vi rucno konfiguritate IP u MAC mapiranje.

Windows racunalo

C:\Documents and Settings\administrator>arp -s 192.168.1.1 11-22-33-44-11-11
Provjerite ARP cache tablicu:

C:\Documents and Settings\administrator>arp -a
Interface�: 192.168.1.2 --- 0x2

Internet adresa
192.168.1.1
192.168.1.100 Fizicka adresa
11-22-33-44-11-11
11-22-33-44-99-99 Vrsta
staticka
dinamicka
Linux racunalo

#arp -s 192.168.1.1 11:22:33:44:11:11
Provjerite ARP cache tablicu:

#arp

Address
192.168.1.1 HWtype
ether HWaddress
11:22:33:44:11:11 Flags Mask
CM Iface
eth0
Router Cisco

router#configure terminal
router(config)#arp 192.168.1.2 1122.3344.5566 ARPA
Postavljanje staticke IP i MAC adrese sprijecit ce ARP poisoning, ali ima dvije velike mane:

-

- Stvorit ce mnogo dodatnog posla administratorima i nije ba� primjenjivo u okru�jima gdje se korisnici koriste laptopima.
Nece sprijeciti druge vrste ARP napada, kao �to je npr. port stealing (krada porta)
Top of the page

2. Alati za nadzor

Arpwatch

Arpwatch je alat kojim nadziremo aktivnost ARP-a na mre�i, posebice promjene u IP - MAC dodjeljivanjima.
Ovim povodom mo�e biti od pomoci kod pronala�enja ARP napada kao �to je ARP spoofing, te mo�e upozoriti administratora mailom u slucaju sumnjivih ARP aktivnosti (odreden kao flip-flop u Arpwatch-u).

#apt-get install arpwatch
Uobicajeno Arpwatch svoje logove �alje u /var/log/syslog datoteku, stoga mo�ete koristiti "tail /var/log/syslog" komandu za provjeru logova u realnom vremenu. Konfiguracija se nalazi u /etc/arpwatch.conf datoteci.

Ettercap

Instalirajte Ettercap s grafickim suceljem.

#apt-get install ettercap-gtk
Pokrenite Ettercap s grafickim suceljem.

#ettercap -G

Sniff -> Unified sniffing...

Plugins -> Manage the plugins
Kliknite na arp_corp plugin za njegovu aktivaciju.

Start -> Start Sniffing

Snort IDS

Sustav za detekciju upada na racunalo, kao �to je Snort IDS (Intrusion Detection System), mo�e detektirati nenormalne ARP aktivnosti te mail-om upozoriti administratora.

Top of the page

3. Za�tita portova

Za�tita portova (port security) je sigurnosna funkcionalnost dostupna na nekim high-end switch-evima.
To ce omoguciti spajanje na port switch-a samo odredenim MAC adresama. U slucaju da spojeno racunalo nije prijavljeno, switch mo�e poduzeti neke mjere kao �to je, recimo, slanje upozorenja administratoru ili trenutno ga�enje kori�tenog porta.

Dolje je naveden primjer na Cisco-vom switch-u gdje je njegov prvi port (FastEthernet 0/1) konfiguriran kao za�titni port.
Port na switch-u prihvacat ce samo jednu MAC adresu i ta MAC adresa ce biti prva prijavljena na portu switch-a (sticky keyword). Ukoliko se na port prijavi neka druga MAC adresa, port se isti tren gasi.

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown
Nakon konfiguracije switch-a prikljucujemo uredaj s MAC adresom 1122.3344.5566 na FastEthernet 0/1 port, koji ne prihvaca niti jednu drugu MAC adresu.

Switch# show port-security

Secure Port   MaxSecureAddr   CurrentAddr   SecurityViolation   Security Action
                         (Count)          (Count)            (Count)
---------------------------------------------------------------------------
   Fa1/0/1               1                    1                    0          Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

Switch# show port-security interface FastEthernet 0/1

Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count :
:
:
:
:
:
:
:
:
:
:
: Enabled
Secure-up
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.5566:1
0

Switch#show port-security address

          Secure Mac Address Table
----------------------------------------------------------------------------
Vlan    Mac Address        Type                  Ports            Remaining Age
                                                                              (mins)
----    -----------          ----                    -----          -------------
1        1122.3344.5566    SecureSticky        Fa0/1              -
----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

Prikljucimo na� trenutni uredaj (MAC: 1122.3344.5566) i ukljucimo drugi uredaj (MAC: 1122.3344.9999).
Kao �to vidite dolje, switch ce iskljuciti svoj prvi port i postaviti ga u err-disabled status.

Switch# show port-security interface FastEthernet 0/1

Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count :
:
:
:
:
:
:
:
:
:
:
: Enabled
Secure-down
Shutdown
0 mins
Absolute
Disabled
1
1
0
1
1122.3344.9999:1
0

Switch#show logging

00:06:28:

00:06:28

00:06:29:

00:06:30: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1122.3344.9999 on port FastEthernet0/1.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Switch#show interfaces status | include 0/1

Port
-------
Fa0/1 Name
------------------
Status
------------
err-disabled Vlan
--------
1 Duplex
------
auto Speed
-------
auto Type
----
10/100BaseTX
Ukoliko �elite ponovno aktivirati port u err-disabled stanje, koristite sljedece komande:

Switch# configure terminal
Switch(config)# interface FastEthernet 0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Aktivacija za�tite portova nece sprijeciti ARP spoofing, ali ce smanjiti mogucnost spajanja nepo�eljnih racunala na mre�u.

4. Zakljucak

Ne postoji idealno rje�enje za borbu protiv ARP spoofing-a (podvala), ali sugestije koje se nalaze dolje nude Vam znacajnu pomoc kod sprecavanja spajanja nepo�eljnih racunala na Va�u mre�u i kontroliranja Va�e mre�e.

-

- Mre�na restrikcija sa za�titom portova ili cak i 802.1x protokola gdje se racunala prijavljuju na mre�u samo ako su prihvacena od strane autentikacijskog servera kao �to je RADIUS.
Nadzor mre�e s alatima poput IDS-ova (Intrusion Detection System).

Top of the page

If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!