Followers

Sunday, October 19, 2008

How to catch hackers on your wireless network

xarp

XArp can't stop ARP attacks, but you'll be warned immediately if it detects one

There are lots of tools around to help people carry out ARP-related exploits and if a malicious, Wi-Fi enabled neighbour decided to find out more about your network, this could be an effective way to do it.

The good news is that there are some defences out there. The bad? They can be costly and don't always deliver the protection you might expect.

ARPDefender is a good example. It's a solid-state security appliance that you simply connect to your network, then leave to look out for ARP poisoning attacks. It would be excellent if not for the fact that it costs almost £300 and, even if it does detect an attack, will do little more than make an entry in your system logs.

There is free software to monitor ARP traffic for suspicious signs. ARPDefender runs one of these, in fact: ARPWatch. Unfortunately, these tend to be dated, or focused on Linux users. There's very little for Windows.

Your own router or software firewall may have some kind of ARP protection. It's worth checking the documentation or set-up screens to find out, but don't expect too much. Agnitum Outpost Firewall Pro comes with something called Smart ARP Filtering, for instance, where an ARP reply is only accepted if that system has sent a request. It's a step forward, but the program will still accept the first ARP reply and it doesn't know if that's from one of your systems or an attacker. You're still at some risk.

It turns out that one of the best ways to protect a small or home network is to ensure your wireless adapters use WPA or WPA2 encryption. And do so properly, which means using a long passphrase that doesn't only include dictionary words (even WPA is useless if your passphrase is 'passphrase'). As long as hackers can't intercept your traffic and inject their own, you're safe.

This doesn't apply to larger business networks, though, as there's always the possibility that a rogue employee (or someone with access to a network PC) could launch an internal ARP attack. You'll need something to monitor ARP traffic, looking for suspicious packets. A security appliance like ARPDefender is one answer and the software monitor XArp is another. See below for details.

Use XArp to detect ARP poisoning

The big security companies have little to offer in the way of ARP-specific protection, but Christoph P Mayer has stepped forward to fill the gap. His XArp tool does an excellent job of detecting attacks and is well worth the £20 price tag if you have a large network to protect.

1. After installation, XArp will run and monitor your network in the background. Right-click its red icon and select Show to launch the program.

2. The Status indicator shows if you're under attack. The IP address list shows if there are any suspiciously new devices connected to your network.

3. Increase the security settings and you've got more chance of detecting attackers. Experts can click View > Advanced for details of what's going on.

4. XArp works across our network on XP and Vista systems. It can't stop ARP attacks, but you'll be warned immediately if it detects one.

Three recommended network defences

1. AntiARP
AntiARP is a Chinese program that claims to be a 'professional defence' against ARP spoofing and attacks. The site gives little information, but the program itself may be worth a look.

2. Capsa
This network analyser alerts you to a sudden flurry of ARP requests, or that you've had more ARP replies than requests. Useful, but neither necessarily indicates an attack.

3. PromiScan
ARP attacks are only one way to intercept traffic. A hacker could also use a sniffer program to read packets of data without sending their own, but PromiScan can detect these dangers and warn you about them.

First published in .Net magazine, Issue 181

Now hack your router for speed and new features

No comments: