What is ARP ?

This is the Address Resolution Protocol. It is in the OSI model Layer 2 (DataLink Layer). It is responsible for matching an IP address to a specific MAC address.

The MAC address is the hardcoded address on network devices.

Type “ipconfig /all”, the MAC address is the “Physical Address” value.

Common MAC addresses : FFFFFFFFFFFF : Broadcast Address

                                   01005eXXXXXX : MultiCast Address

Generally, for a network transmission through a switch, the switch maps each IP Address to the specific MAC address.

What is ARP Spoofing?

It is using the MAC address maliciously. Usually the attacker uses a MAC address he doesn’t own to do one of the following:

            . Man in the Middle Attack … (This lets the switch deal with the attacker's MAC as the Victim’s, so sends the packets to the attacker instead of the victim)

            . Denial of service attacks.

Lots of hacking tools can edit the datalink part in the packets. Normal users don’t have enough tools for that.

But, unfortunately NetCut has become so popular that it has become annoying on LANs.

I want to clarify how it works .

NetCut ..

This is a commonly used tool used on networks. It makes  a Denial of Service attack on the Victim so that he doesn’t get internet access. It does so by flooding the switch with unreal MAC address entries that point to the victim’s ip address, so the packets are mapped incorrectly and the victim receives no packets.

I‘ll try to show how this stuff works. ..

I used my desktop: Hostname :  C4

       IP : 10.0.0.81

       Gateway : 10.0.0.138

Tools:  . NetCut

            . AntiArp

            . Ethereal

First I‘ll use NetCut on my machine to block user 10.0.0.10

On the ethereal,, it made 1767 ARP packets in only one minute !!

The AntiArp (actually monitors and can block all incoming and outgoing arp traffic from / to my pc ) shows that I ‘m sending fake Mac address to the gateway and I’m disguised as the victim’s ip_address. (while if we make a man in the middle attack , I ‘ll get the victim’s Mac address as mine and give the victim another one ) .

This is a snapshot for the AntiArp monitoring some traffic..

How to defend against a similar type of attack ?

. AntiArp is a nice tool the defends the MAC Denial of Service attack.

. NetCut itself has an option to protect my computer.

It begins to send packets to the gateway telling it about my IP address and my REAL Mac address (in case it were spoofed)

I tried to see the difference, so I turned the protect my computer off and stopped cutting off on any other pcs.

The ethereal only captured 336 ARP packets in one minute which is just the normal ARP traffic.

. If the local arp cache in the computer was corrupted, you can clear it by typing

“arp –d*” . Also to check what is in your Arp cache, type “arp –a”.

. You can enable MAC filtering on your switches. Devices like Cisco devices enable you to write a specific MAC address on each port.

PLEASE: Don’t use the knowledge you get from this article to do any type of attacks.

I‘ve enjoyed the use of Visual Studio C# and C++ 2005 Express Edition on my home pc. The express edition was more than great. Nobody can ever say that you will never need the Professional or the team edition. In a business environment it is a must, for full functionality and the licensing. But as a hobbyist or a learner, the Express edition will be more than enough …

Imagine Cup IT Challenge is a marvelous international competition for all those passionate about IT.

The last quiz will be held 31^st of January at 8 am GMT. Go to www.imaginecup.com , register and compete. There are lots of other invitational that may be of interest to you. Plus, you can compete in more than one invitational.

Just go and show how deep is your knowledge.. and how skilled you are .You may reach the world’s finals and go to Paris

Why use third party? Some people purchase third party applications to make phone calls from their laptops.

Search for Dialer.exe in you windows files. A nice application you can use for free. Just plug in your line in and dial.

So we have a full connectivity suite now in a laptop: Ethernet / WiFi / Bluetooth / Infrared and even the Telco’s Landlines. PCMCIA or USB devices can be used for GPRS too..

Long Live the Technology..

Still remember those hard days when they first invented the Cellular phones?

I wish this stuff is enhanced in ISA server 2008.  

If you want to feel like a real hacker, try “Uplink”. An old computer game that I‘ve enjoyed so much. Available at http://www.introversion.couk/uplink/

You act like a real hacker. You have missions, like Stealing some documents from a Competitor’s network, etc … You have a full suite of tools like password crackers , log erasers .. It is an amazing game that anybody passionate about security should try. It has a different flavor that trying security breaches on your network or on a virtual machine.

Just take care not to be tracked..

A myth is an ill-founded belief.. 

Like Dracula ..  If you go to Romania , you will find  Dracula’s castle . But we all know that it is a Myth . No matter how much movies about it in the cinemas.

The same about computers. Some people believe that Microsoft products are insecure. This is untrue. It is unsecure because they don’t know how to secure their systems.  

Go to Run > mmc >  Console > Add Remove snap in > Add > Group Policy

Now check Computer Configuration / Windows Settings / Security Settings.

Imagine how much of security configurations you can make to your system and most users neglect or even don’t know they exit.

Windows security is even much more beyond that.

Something else.

I ‘m not against open source. But, I believe that a system that nobody knows what is written in its code is more secure than an open source product. Not because the open source is bad, but because it gives the attacker an extra option for White Box security testing.

Hi …

This is me …  Tamer Maher. I‘ve thought a lot of having a blog, but always had two problems. What to say? And who is gonna read it.

Then , I took the decision . JUST BEGIN …

At last I got ready to post .This is my first post .

I liked to call my blog Security GuRu …

Actually, I’m not that Guru you may  think. I just have some average knowledge and a very high interest in computers and especially security. But, I love the ..G… words. ;)

They give you the feeling of something BiG , LuXurious ..

How do you feel these words ? GuRu , GeeK , JaGuar , LamborGhini , Glory ,  LonGines , TaG Heuer ..

My main interest about computers is the security … Some people feel that the security science is something complex, and that hackers and security specialists are Aliens..

All this is untrue.

You can learn it all.. It is all about the Passion . We can see the weakest part of the chain . . So.. attackers can break in , and the Good Guys fix it .

So  ... plz be with the good guys.

Please .. If you have any comments email me on  tmaher1982@hotmail.com . Also, If you have any questions or topics you think may be useful, plz tell me. I‘ll do my best to write on.