Saturday, September 29, 2018

ARP & DNS Spoofing

Hi. This has been in my head for the past month and bloodied out looking for a solution that works.

We have an attendance system that we access over the web and about 6 weeks ago, the site was redirecting to a random IP which we didn't own and knew of

The rogue IP was just showing random text and nothing harmful obvious... my manager has been on the case since. Recently, found this application called Ettercap and used it as an exploit tool and I was able to achieve the same result with trying to redirect a domain to another IP

We believe that the "attack" originated from the inside and sort of used a tool similar to Ettercap... which I now need to counter-measure to avoid future occurrences

We use HP switches (1910s, 2530s) that have ARP anti-attack and Dynamic ARP attack - we don't see them do enough to prevent such attacks as it still happens when we are testing

I am now looking on host-based tools such as arpon which I am working on the setup (not quite sure if I got it right but DNS spoofing still happens) and looking further...

What else should I look into? We don't have an IPS/IDS appliance on the network, we use routers from a Latvian company called Mikrotik and configure them to act as firewalls.

Edit: Video URL for reference - https://www.youtube.com/watch?v=Aak6-B3JORE



No comments:

Post a Comment