Another great tool is Ettercap, the Swiss army knife of ARP Poisoning and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface that some may find easier to use.
If you would like to use Ettercap for ARP poisoning instead, the following commands should serve as good examples. If we wanted to target all hosts on the network and sniff traffic between every node, we would use the following command:
UNIX> ettercap -T -q -M ARP // //
Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections.
If we had a specific victim in mind, let’s say a host with the IP 192.168.1.1, we would use this command:
UNIX> ettercap -T -q -M ARP /192.168.1.1/ //
Mitigating Sniffing Attacks
There are quite a few ways to mitigate sniffing attacks.
1. Avoid using insecure protocols like Basic HTTP authentication and Telnet. As a matter of fact you should sniff your own network to see what passwords the tools listed above can pick up.
2. If you have to use an insecure protocol, try tunneling it though something to encrypt the sensitive data. I have a video on SSH Dynamic Port Forwarding that show one way to accomplish this.
3. Look into using Static ARP tables between critical workstations and servers. They are more trouble to maintain but limit arpspoofing.
4. Run software like ARPWatch to detect changes in MAC addresses on your network that may point to Sniffers.
5. Try running tools like Sniffdet and Sentinel to detect network cards in promiscuous mode that may be running sniffing software.
6. Have outside laptops using Wi-Fi that come into your facility use a VPN to connect to the network.
7. Lockdown workstations so users can’t install sniffing software or boot from a CD like Knoppix.
8. Keep public terminals on a separate LAN from the staff workstations and servers.
Next» Running Network Sniffer With dsniff