A lot of people go through their daily lives with the misconception that you can't packet sniff (eavesdrop) in a switched network or encrypted wireless (wifi) environment. Sadly, this is hardly the case.
They think this because a switch is a point to point device, which is to say that your computer only talks to the specific endpoint on the switch that it needs to and doesn't ordinarily have access to all traffic on the switch.
Unfortunately, in the real world, there are hacking/penetration tools such as Cain that allow someone running the tools to do what is called ARP (address resolution protocol) poisoning. Basically, it works by fooling the network switch in to thinking that all traffic going through the switch needs to go through the hacker's computer almost as if that computer were the gateway router for the switched segment.
This allows anyone running these tools to sniff all traffic going through a switch or to even change traffic that they are seeing (perform a man-in-the-middle attack).
Pretty scary stuff, eh?
But there are ways to mitigate this sort of risk. Many modern managed switch makers such as Cisco, Extreme, Dlink and others include a feature called DHCP snooping with their switches that allows switches to monitor MAC addresses and sense if DHCP enabled clients change their MAC addresses. Of course, since it can only monitor DHCP enabled systems, there may be workarounds to this solution by simply giving an attacking system a static IP address.
There are other solutions out there, but they can be costly (ArpDefender) or allow for monitoring only (ArpWatch).
At the end of the day, people put too much trust in the security of their systems by default when most of the systems and protocols that we use on a daily basis on the internet were designed not for security, but rather for ease of use and interoperability.
This isn't just important for those of us who might be managing IT security for corporations, but also for individuals who use public wifi hotspots on a regular basis.
a very quick one:
Being wireless networks broadcast what is the reason why you would use arp spoofing on a wireless network. I mean i get it if you are on a wired one as with switches you wont intercept someone else's packets so using arp spoofing you place yourself between gateway and client. But on a wireless network which broadcasts packets because of the nature of the media ( air ), why would you you do this?
Posted by: tommaso | Thursday, July 21, 2011 at 05:00 PM
Here's two reasons:
a) the wireless may be bridged to a wired LAN where more interesting hosts are likely to live.
b) so that the malicious host can not only view, but also respond to traffic: provide incorrect answers to DNS queries, or become man-in-the-middle and actually alter or redirect some of the traffic.
This afternoon I helped a small business get back in business after an ARP spoofing attack severely crippled their network. The culprit: malware on an empolyee's Android phone connected via WiFi (WiFi had MAC filtering, but this was a trusted employee's phone). The malicious app had spoofed the address of the DNS server (also file & print server).
Posted by: Shawn Hughes | Monday, April 30, 2012 at 06:48 PM