Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • PrintPrint
    Share this Page URL
    Help

    Low-Level Detection > Low-Level Detection - Pg. 118

    118 chapter 6 Man-in-the-Middle Low-Level Detection Implementing controls at various points in the network will ultimately provide a good defensive strategy. However, looking at some of the low-level detection meth- ods will also pay off. A few simple things you can do if you suspect MITM attacks are being performed include reviewing local ARP table information and network traffic. Although the intent is to use a more centralized and robust method of viewing the health of the network as a whole, a simple test you can perform to see if you are currently being attacked is to review ARP table entries. Figure 6.5 illustrates the ARP table for a Windows XP that is currently a victim of an ARP cache poison attack. This screenshot was actually taken from the victim computer in the lab environment while preparing for the section "ARP Cache Poisoning." After reviewing Figure 6.5, we can see that multiple IP addresses appear to have the same physical address. This means that the computer with IP address 192.168.204.139 has ARP table entries indicating both 192.168.204.1 and 192.168.204.131 reside at the same physical location. In this case, 192.168.204.1 is the IP address of the attacker's computer and 192.168.204.131 is actually a Windows 2008 Domain Controller. If you detect something similar to this on your network, you should conduct further investigation to find out the source of the issue. As you may recall from the section "ARP Cache Poisoning," devices broadcast ARP requests to the broadcast address of the network in an effort to locate other systems on the network. During an active ARP cache poisoning attack, multiple IP addresses will have the same hardware address, as explained in the last paragraph. Figure 6.6 displays what an administrator may see while sniffing the network during such an attack. Tools such as Wireshark will usually provide immediate identification of mul- tiple devices using the same hardware address. Figure 6.6 is an example of a cap- ture performed while performing a MITM attack on a network where the attacker fIGuRE 6.5 Detecting ARP MITM