Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Session Hijacking

from [Dragos Ruiu] Network Security [Permanent Link]
Subject: Re: Session Hijacking
Date: Wed, 9 Mar 2005 20:42:36 -0800 
On March 8, 2005 05:23 am, Angel L Rivera wrote:

Hate to plead ignorance but can you elaborate a little - not familiar with
this control and how to set it up - can you give an example. If you think
it is out of scope for this discussion list just reply to me.  Thanks.

-----Original Message-----
From: Dragos Ruiu [mailto:dr@kyx.net]
Sent: Tuesday, March 08, 2005 2:53 AM
To: Angel L Rivera; 'Mike Frantzen'; 'Terry Ray'
Cc: focus-ids@lists.securityfocus.com
Subject: Re: Session Hijacking

P.s. Static permanent arp entries for at least some "important" servers
and gateways in your network is something I counsel all to seriously
consider. This intermediate step is not that much work given the many
security benefits it brings.


The example (and MS caveat was in the previous message):

On March 7, 2005 11:04 pm, Dragos Ruiu wrote:

You can even extend this to host workstations, whereby ip->mac
address assignments are preassigned, e.g.:

/usr/sbin/arp -s 1.2.3.4 00:01:02:03:04:05:06 permanent

Older MS OSes used to let permanent entries be overwritten by
gratuitous arp's but I think this has been fixed in more recent releases.


You may have to delete the existing arp table entry before adding the
permanent one using:

/usr/sbin/arp -d 1.2.3.4

This is the OpenBSD/NetBSD semantics...

For Linux, FreeBSD and OSX you set up permanent entries by NOT including 
the keyword "temp" instead of the "permanent" keyword.

Look at the man page for the arp command and that will get you pointed in 
the right direction. Adding these addresses for important boxes hardwired
to local start up scripts will remove some possibility for "games."

For Win32 just use: arp -s 1.2.3.4 00:01:02:03:04:05:06
(I dont think Win32 lets you set up temp entries afaik)

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada       May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: How to choose an IDS/FW MSS provider, Brady, Rick
Next by Date:  RE: How to choose an IDS/FW MSS provider, Palmer, Paul (ISSAtlanta)
Previous by Thread:  RE: Session Hijacking, Angel L Rivera
Next by Thread:  RE: Session Hijacking, Omar Herrera
Indexes:  [Date] [Thread] [Top] [All Lists]