Home :

• Home
• Contact
• Readme
• Thanks
• Translations
• History
• References
• Statistics
• About us

Tutorials :

• Analyzing
• 
• Wireshark
• Ettercap
• Snort & BASE
• Snort_Inline & BASE
• 
• Monitoring
• 
• Cacti
• PHP Weathermap
• 
• Logging
• 
• Php-syslog-ng
• Rancid
• Ipplan
• 
• Routing
• 
• Vyatta
• Quagga
• 
• VPN
• 
• OpenVPN
• 
• Telephony
• 
• 
• Trixbox
• 
• Link Emulation
• 
• WANem

Other :

• Open Source
• MySQL

Networking :

• Interfaces
• Ping
• TCPdump
• Netstat
• Iperf
• CDP

OS :

• Linux ;
• Windows ;
• 
• Debian ;
• Ubuntu ;
• 
• APT Tools
• CheckInstall
• Minicom

Php Scripts :

• World Time
• Menu

Ettercap Protumjere
Zadnje osvježenje: May 07 2008

---

Tool
Install
Ergonomy
Forum


Detalji Što je Ettercap?
Preduvjeti i Instalacija
ARP Poisoning
"Man in the middle" napadi
Statistike
Protumjere

Croatian translation by Tomislav Marcinkovic.

---

⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!

---

Efektivna i uspje�na borba protiv ARP trovanja (poisoning) nije jednostavan zadatak, zbog toga �to ARP protokol ne pru�a mogucnosti za dokazivanje ispravnosti izvora dolaznih paketa.
Usprkos svemu, predla�emo neke metode za�tite Va�eg racunala protiv tih podmuklih podvala.

1. Staticki ARP

2. Alati za nadzor

3. Za�tita portova

4. Zakljucak

---

1. Staticki ARP

Staticki ARP znaci da vi rucno konfiguritate IP u MAC mapiranje.

Windows racunalo

C:\Documents and Settings\administrator>arp -s 192.168.1.1   11-22-33-44-11-11

Provjerite ARP cache tablicu:

C:\Documents and Settings\administrator>arp -a

Interface�: 192.168.1.2 --- 0x2

Internet adresa 192.168.1.1 192.168.1.100

Fizicka adresa 11-22-33-44-11-11 11-22-33-44-99-99

Vrsta staticka dinamicka

Linux racunalo

#arp -s 192.168.1.1 11:22:33:44:11:11

Provjerite ARP cache tablicu:

#arp

Address 192.168.1.1

HWtype ether

HWaddress 11:22:33:44:11:11

Flags Mask CM

Iface eth0

Router Cisco

router#configure terminal router(config)#arp 192.168.1.2 1122.3344.5566 ARPA

Postavljanje staticke IP i MAC adrese sprijecit ce ARP poisoning, ali ima dvije velike mane:

-   -

Stvorit ce mnogo dodatnog posla administratorima i nije ba� primjenjivo u okru�jima gdje se korisnici koriste laptopima. Nece sprijeciti druge vrste ARP napada, kao �to je npr. port stealing (krada porta)

Top of the page

---

2. Alati za nadzor

Arpwatch

Arpwatch je alat kojim nadziremo aktivnost ARP-a na mre�i, posebice promjene u IP - MAC dodjeljivanjima.
Ovim povodom mo�e biti od pomoci kod pronala�enja ARP napada kao �to je ARP spoofing, te mo�e upozoriti administratora mailom u slucaju sumnjivih ARP aktivnosti (odreden kao flip-flop u Arpwatch-u).

#apt-get install arpwatch

Uobicajeno Arpwatch svoje logove �alje u /var/log/syslog datoteku, stoga mo�ete koristiti "tail /var/log/syslog" komandu za provjeru logova u realnom vremenu. Konfiguracija se nalazi u /etc/arpwatch.conf datoteci.


Ettercap

Instalirajte Ettercap s grafickim suceljem.

#apt-get install ettercap-gtk

Pokrenite Ettercap s grafickim suceljem.

#ettercap -G

Sniff -> Unified sniffing...

Plugins -> Manage the plugins

Kliknite na arp_corp plugin za njegovu aktivaciju.

Start -> Start Sniffing

Snort IDS

Sustav za detekciju upada na racunalo, kao �to je Snort IDS (Intrusion Detection System), mo�e detektirati nenormalne ARP aktivnosti te mail-om upozoriti administratora.

Top of the page

---

3. Za�tita portova

Za�tita portova (port security) je sigurnosna funkcionalnost dostupna na nekim high-end switch-evima.
To ce omoguciti spajanje na port switch-a samo odredenim MAC adresama. U slucaju da spojeno racunalo nije prijavljeno, switch mo�e poduzeti neke mjere kao �to je, recimo, slanje upozorenja administratoru ili trenutno ga�enje kori�tenog porta.

Dolje je naveden primjer na Cisco-vom switch-u gdje je njegov prvi port (FastEthernet 0/1) konfiguriran kao za�titni port.
Port na switch-u prihvacat ce samo jednu MAC adresu i ta MAC adresa ce biti prva prijavljena na portu switch-a (sticky keyword). Ukoliko se na port prijavi neka druga MAC adresa, port se isti tren gasi.

Switch# configure terminal Switch(config)# interface FastEthernet 0/1 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security maximum 1 Switch(config-if)# switchport port-security violation shutdown

Nakon konfiguracije switch-a prikljucujemo uredaj s MAC adresom 1122.3344.5566 na FastEthernet 0/1 port, koji ne prihvaca niti jednu drugu MAC adresu.

Switch# show port-security

Secure Port   MaxSecureAddr   CurrentAddr   SecurityViolation   Security Action
                         (Count)          (Count)            (Count)
---------------------------------------------------------------------------
   Fa1/0/1               1                    1                    0          Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

Switch# show port-security interface FastEthernet 0/1

Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

: : : : : : : : : : : :

Enabled Secure-up Shutdown 0 mins Absolute Disabled 1 1 0 1 1122.3344.5566:1 0

Switch#show port-security address

          Secure Mac Address Table
----------------------------------------------------------------------------
Vlan    Mac Address        Type                  Ports            Remaining Age
                                                                              (mins)
----    -----------          ----                    -----          -------------
1        1122.3344.5566    SecureSticky        Fa0/1              -
----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6272

Prikljucimo na� trenutni uredaj (MAC: 1122.3344.5566) i ukljucimo drugi uredaj (MAC: 1122.3344.9999).
Kao �to vidite dolje, switch ce iskljuciti svoj prvi port i postaviti ga u err-disabled status.

Switch# show port-security interface FastEthernet 0/1

Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address:Vlan Security Violation Count

: : : : : : : : : : : :

Enabled Secure-down Shutdown 0 mins Absolute Disabled 1 1 0 1 1122.3344.9999:1 0

Switch#show logging

00:06:28:   00:06:28   00:06:29:   00:06:30:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1122.3344.9999 on port FastEthernet0/1. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Switch#show interfaces status | include 0/1

Port ------- Fa0/1

Name ------------------

Status ------------ err-disabled

Vlan -------- 1

Duplex ------ auto

Speed ------- auto

Type ---- 10/100BaseTX

Ukoliko �elite ponovno aktivirati port u err-disabled stanje, koristite sljedece komande:

Switch# configure terminal Switch(config)# interface FastEthernet 0/1 Switch(config-if)# shutdown Switch(config-if)# no shutdown

Aktivacija za�tite portova nece sprijeciti ARP spoofing, ali ce smanjiti mogucnost spajanja nepo�eljnih racunala na mre�u.

---

4. Zakljucak

Ne postoji idealno rje�enje za borbu protiv ARP spoofing-a (podvala), ali sugestije koje se nalaze dolje nude Vam znacajnu pomoc kod sprecavanja spajanja nepo�eljnih racunala na Va�u mre�u i kontroliranja Va�e mre�e.

-   -

Mre�na restrikcija sa za�titom portova ili cak i 802.1x protokola gdje se racunala prijavljuju na mre�u samo ako su prihvacena od strane autentikacijskog servera kao �to je RADIUS. Nadzor mre�e s alatima poput IDS-ova (Intrusion Detection System).

Top of the page