CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [55]
To prevent ARP spoofing, permanently add the MAC address of the gateway to the ARP cache on a system. You can do this on a Windows system by using the ARP -s command at the command line and appending the gateway's IP and MAC addresses. Doing so prevents a hacker from overwriting the ARP cache to perform ARP spoofing on the system but can be difficult to manage in a large environment because of the number of systems. In an enterprise environment, port-based security can be enabled on a switch to allow only one MAC address per switch port.
Understand Ethereal Capture
and Display Filters
Ethereal is a freeware sniffer that can capture packets from a wired or wireless LAN connection. Here are some examples of Ethereal filters:
■ i p. dst eq www. eccou nci 1 . o rg-This sets the filter to capture only packets destined for the webserver www. eccounci 1 . org
■ i p. src == 192.168.1.1-This sets the filter to capture only packets coming from the host 192 .168.1.1
■ eth. dst eq ff: ff: ff: ff: ff: ff -This sets the filter to capture only Layer 2 broadcast packets
Practice writing filters in Ethereal that capture only one type of protocol traffic or traffic from a specific source IP or MAC address. It's important to understand how to create these filters before you attempt the CEH exam.
Understand MAC Flooding
A packet sniffer on a switched network can't capture all traffic as it can on a hub network; instead, it captures either traffic coming from or traffic going to the system. It's necessary to use an additional tool to capture all traffic on a switched network. There are essentially two ways to perform active sniffing and make the switch send traffic to the system running the sniffer: ARP spoofing and flooding.
As mentioned earlier, ARP spoofing involves taking on the MAC address of the network gateway and consequently receiving all traffic intended for the gateway on the sniffer system. A hacker can also flood a switch with so much traffic that it stops operating as a switch and instead reverts to acting as a hub, sending all traffic to all ports. This active sniffing attack allows the system with the sniffer to capture all traffic on the network.
Understand DNS Spoofing Techniques
DNS spoofing (or DNS poisoning) is a technique that tricks a DNS server into believing it has received authentic information when in reality it hasn't. Once the DNS server has been poisoned, the information is generally cached for a while, spreading the effect of the attack to the users of the server. When a user requests a certain website URL, the address is looked up on a DNS server to find the corresponding IP address. If the DNS server has been compromised, the user is redirected to a website other than the one that was requested, such as a fake website.
To perform a DNS attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information. If the server doesn't correctly validate DNS responses to ensure that they come from an authoritative source, the server ends up caching the incorrect entries locally and serving them to users that make subsequent requests.
This technique can be used to replace arbitrary content for a set of victims with content of an attacker's choosing. For example, an attacker poisons the IP address's DNS entries for a target website on a given DNS server, replacing them with