Monthly Archives: August 2018

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

 

What is man in the middle attack? according to wikipedia:

In cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

And what is ARP poisoning or ARP spoofing? according to wikipedia:

a technique whereby an attacker sends fake (“spoofed”) Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.

The man in the middle attack can happen because the attacker modified the ARP table(ARP spoofing) and change the ARP mapping to malicious attacker computer. Here I try to describe using picture(courtesy of: irongeek.com).

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

If we as a human absolutely we will know who is Alan and who is Brian by recognizing them from their face, but for our computer they depend on the ARP table network mapping (OSI layer 2 and layer 3).

<table border=”1″ cellpadding=”1″ cellspacing=”1″ style=”width: 500px;”>

Name IP Address MAC Address Alan 192.168.1.2 00-00-00-00-00-00-00-01 Brian 192.168.1.3 00-00-00-00-00-00-00-02 Cracker 192.168.1.88 00-00-00-00-00-00-00-03

table>

So if Alan want to connect to Brian, the computer will translate Brian IP address(192.168.1.3) to its MAC address 00-00-00-00-00-00-00-02. The correct way is should be like that, but because the attacker doing an ARP spoofing or ARP poisoning they will change the ARP mapping. If the network already poisoned, when Alan want to send packet to Brian, Alan will translate Brian(192.168.1.3) with MAC 00-00-00-00-00-00-00-03 and vice versa.

In this tutorial I will show you how the ARP spoofing can be happen and how to prevent it in your own computer so you will not be the victim.

The scenario for today tutorial I will use Windows 7 as victim and Kali Linux as attacker.

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN:

Before start, you can download the Static ARP changer tools to change the ARP routing automatically (128% virus free guaranteed)

Download Static ARP Changer

1. First I will show you my Windows 7 ARP table before poisoned by the attacker

arp -a

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

the red box in the picture above is victim router address and router MAC address is xx-xx-xx-5a-26-94. Victim IP address is 192.168.8.100.

Here is the attacker IP and MAC info:

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

2. When attacker doing ARP spoofing by using arpspoof and attacking the victim:

arpspoof -i eth0 -t 192.168.8.100 -r 192.168.8.8

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

Description:

-i eth0 –> attacker use the eth0 interface to perform the attack.

-t 192.168.8.100 –> attacker targeting the IP address 192.168.8.100.

-r 192.168.8.8 –> attacker will intercept the traffic between -t and -r where -r is the remote host or the router

3. When victim run the arp -a command again in his computer, the router MAC address was changed into the attacker computer.

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

that’s mean every transaction the victim made will go through attacker computer first and then go to the real router. We need to protect the ARP mapping table to make the attacker cannot do this to us.

4. We need to run this command in our Windows PC

arp -s 192.168.8.8 xx-xx-xx-5a-26-94

Description:

-s –> add a static ARP table

192.168.8.8 –> your router IP address

xx-xx-xx-5a-26-94 –> your router MAC address

Note: If you get this error “The ARP entry addition failed: Access is denied.

try to run this command to know your interface name:

netsh interface show interface

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

and then run this command to add static ARP:

netsh interface ip add neighbors “Wireless Network Connection” “192.168.8.8” “xx-xx-xx-5a-26-94”

now when we run again the arp -a command, our ARP table changed to static

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

and when attacker run ARP spoofing again, our ARP table won’t changed because we already make it static :-)

Conclusions:

1. To prevent ARP spoofing and man in the middle attack in your local area network you need to add a static ARP.

2. This trick become troublesome if your router changed frequently, so if you use this prevention method you need to delete the old one and add the new one if it changed

3. You can download and use my Static ARP routing changer to change your ARP static routing automatically

Download Static ARP Changer

 

5 Ways to Protect Your Computer Against NetCut’s ARP Spoofing Attack

NetCut  is a Denial of Service type of tool that runs on Windows and is capable of cutting off a person’s internet connectivity when both are connected in the same local area network. Basically the ARP protocol is used to translate IP addresses to MAC addresses and NetCut exploits the weakness in the stateless ARP protocol due to the lack of authentication.

NetCut is very easy to use and can be used by anyone. Simply run the tool and it will detect all the connected devices in the same local area network. You can then select any target from the list followed by clicking the “Cut off” button, and within seconds the target will lose its internet connection. The affected target will have no idea what’s happened even if he/she has a firewall program installed.

netcut

Due to the way NetCut works, no firewall is able to prevent nor even detect the attack. In fact setting up static ARP entries like most other websites suggested will not protect you against NetCut attacks because NetCut directly attacks the gateway and not the user. Here is an investigation on how NetCut works and also the method to protect against the DoS attack. As we’ve mentioned earlier, none of the firewall software such as ZoneAlarm, Comodo, Outpost, GlassWire, SpyShelter, Privatefirewall, and etc is able to detect NetCut attack. However you can use XArp, which is a freeware tool that can detect ARP spoofing. By installing XArp and running it, you will be instantly notified when it detects an ARP spoofing attack including the attack from NetCut. The screenshot below shows a running XArp without attacks. Take note of the MAC address 00-21-5d-41-16-5a circled in red which is associated with the IP 192.168.2.8.

xarp no arp attacks

When NetCut starts attacking the IP 192.168.2.8 in an attempt to cut off the Internet connection, XArp immediately detects it and shows an alert popup with a few different messages. The most important message would be the one that reports that the MAC address for the IP 192.168.2.8 has been changed from 00-21-5d-41-16-5a to 03-27-75-49-18-73.

xarp alert

If you launch the XArp program from the notification tray icon, you will see that the MAC address for the IP 192.168.2.8 has been changed to 03-27-75-49-18-73 which is obviously wrong.

xarp arp attacks detected

This means that NetCut sends a spoofed packet to inform the gateway that the IP 192.168.2.8 is associated with an incorrect MAC address. Since the IP 192.168.2.8 isn’t mapped to the correct MAC address, the Internet connection breaks as well. Even a packet sniffer such as Wireshark confirms that spoofed packets are sent to the gateway with a wrong MAC address mapped to the IP 192.168.2.8.

wireshark netcut attack

When NetCut is actively attacking a target on the network, it will continuously send spoofed packets to the gateway so that there is no chance for the gateway to obtain the correct dynamic ARP table. Here we have 5 possible ways of protecting against NetCut attacks.

1. Static ARP Table in Router

Since NetCut sends spoofed packets to the router to mess with the dynamic ARP table, you can solve this problem by setting up a static ARP table in the router. Implementing static ARP routing will protect everyone that is connected to the network. However this is not really a solution for everyone because a lot of basic home based routers don’t support static ARP table and it doesn’t make sense to implement this on a public WiFi. Doing this on a large corporate network also requires a lot of manpower maintaining the IP to MAC address mappings.


2. NetCut

Ironically, the NetCut program that is used to cut off a person’s Internet connection has an option to protect against the attack. Simply make sure that the “Protect My Computer” checkbox is ticked and this will ensure that your IP address is mapped to the correct MAC address.

netcut protect my computer

Basically NetCut protects against its own attack by constantly sending packets to the gateway informing the router the correct mapping of the IP to MAC address. The router will be easily flooded with packets when NetCut is being used to attack and protect.

Download NetCut


3. NetCut Defender

If you’re not comfortable in having an attack program such as NetCut installed and running on your computer due to legal concerns, the author of NetCut also created a protection program called NetCut Defender. Basically it does the same thing as the “Protect My Computer” option found in NetCut except without the ability to cut off a person’s connection.

netcut defender

Nowhere on the official NetCut Defender’s website does it mention that it costs $9.99. You will start getting nagging popups to purchase the program after a couple of hours of usage. We cannot confirm the trial usage of NetCut Defender as we have not tested it extensively but what we can confirm is that it can surely keep you safe against NetCut attacks.

Download NetCut Defender


4. Outpost Firewall Pro

When NetCut is launched, it will automatically run an ARP broadcast sweep to detect all connected devices on the network. For example, if the computer running NetCut is connected to a network 192.168.2.1 gateway, it will perform an ARP sweep from 192.168.2.1 to 192.168.2.255. Unlike ICMP ping that can be easily blocked, ARP requests are normally responded and not blocked. When a device responds to the ARP request made by NetCut, the device is added to the list that can be attacked. Outpost Firewall Pro has an option to block ARP scan.

outpost attack detection report

Go to Settings > Advanced settings > Attack Detection > click the Customize button > select “Block host when it enumerates other computers on LAN” and click OK to close the Attack Detection window followed by clicking OK to save the Settings.

block host when it enumerates other computers on lan

Enabling this option will prevent your computer from being listed in NetCut. The attacker will most likely attack another computer instead of yours. Outpost Firewall Pro is a shareware that cost $29.95 for a 1 year subscription on a single license.

Download Outpost Firewall Pro


5. ESET Smart Security

ESET Smart Security is one of the few internet security applications that can be configured to disallow responses to an ARP request. By doing this, NetCut won’t be able to find your computer during an ARP sweep when the program is launched or when the “Refresh Net” button is clicked. To configure ESET Smart Security to block an ARP scan, open the program, go to Setup and click onNetwork. Click Advanced Personal firewall setup that is located at the bottom.

eset advanced personal firewall setup

Expand Network > Personal firewall and select IDS and advanced options. Uncheck “Allow response to ARP requests from outside the Trusted zone” and click OK.

eset allow response to arp request from outside the trusted zone

For this setting to take effect, you need to select the “Public network” as the desired protection mode of your computer in the network. Normally this option would show up when you are connected to a new network. To check the settings, at the Network protection setup, click on “Change the protection mode of your computer in the network“.

Select Public network option and click OK.

eset computer protection mode

The NetCut program won’t be able to find your computer on the network, thus keeping you safe from being attacked.
Read More:https://www.raymond.cc/blog/protect-your-computer-against-arp-poison-attack-netcut/