17/5/08

Detectando ARP Spoofing

Estas son dos de las formas mas fáciles que e encontrado para detectar el arp spoofing, son utilizando las herramientas de arpwatch y arpalert. Las puedes instalar en Debian desde synaptic o bien.

#apt-get install arpwatch
#apt-get install arpalert

ambos mandan alertas a /etc/log/syslog puedes hacerte un script para mandar las salidas a a otro archivo y también editar sus .conf en /etc/arpalert y /etc/arpwatch.conf . Puedes ver los manuales oficiales de ellos.

#man arpalert
#man arpwatch

Aquí esta la salida de syslog para ambos archivos arp mandándoles la orden que lean la interfaz eth2

#arpalert -i eth2 {cambias la interfaz por la que te interese que este ala escucha}
#arpalert -i eth2

#cat /var/log/syslog | grep arp

May 17 13:12:40 zk kernel: Measured 4131621884 cycles TSC warp between CPUs, turning off TSC clock.
May 17 13:43:59 zk arpalert: Auto selected device: eth1
May 17 13:43:59 zk arpwatch: bad interface eth1: eth1: no IPv4 address assigned - assuming unconfigured interface
May 17 13:43:59 zk arpwatch: Running as uid=115 gid=121
May 17 13:43:59 zk arpwatch: listening on eth1
May 17 13:43:59 zk arpwatch: exiting
May 17 13:44:16 zk arpalert: Auto selected device: eth1
May 17 13:44:16 zk arpalert: daemon instance already running (file: /var/run/arpalert.pid locked)
May 17 13:44:34 zk arpwatch: bad interface eth1: eth1: no IPv4 address assigned - assuming unconfigured interface
May 17 13:44:34 zk arpwatch: listening on eth1
May 17 13:44:57 zk arpwatch: exiting
May 17 14:41:04 zk arpalert: Selected device: eth2
May 17 14:41:04 zk arpalert: daemon instance already running (file: /var/run/arpalert.pid locked)
May 17 14:41:42 zk arpwatch: listening on eth2
May 17 14:42:10 zk arpwatch: new station 192.168.0.11 0:38:de:34:46:g7 eth2
May 17 14:42:10 zk arpwatch: new station 192.168.0.1 0:44:54:84:F3:c5 eth2
May 17 14:43:13 zk arpwatch: bogon 1.15.54.18 0:44:4:34:14:c3 eth2
May 17 14:55:14 zk arpwatch: bogon 1.15.54.18 0:44:45:y4:d3:56 eth2
May 17 15:07:27 zk arpwatch: bogon 1.15.54.18 0:1e:45:y4:t3:56 eth2
May 17 15:10:15 zk arpwatch: bogon 1.15.54.18 0:64:43:8a:1y:t6 eth2
May 17 15:14:38 zk arpalert: Auto selected device: eth1
May 17 15:14:38 zk arpalert: daemon instance already running (file: /var/run/arpalert.pid locked)
May 17 15:25:16 zk arpwatch: bogon 1.15.54.18 0:44:74:w4:13:56 eth2
May 17 15:30:36 zk arpwatch: bogon 1.15.54.18 0:d4:48:e4:13:56 eth2

No hay comentarios: