Monday, June 16, 2008

Prevention of Man-in-Middle Attack 

Having anticipated, Man-in-Middle attack by ARP Spoofing. a problem,
(For example: there are many lab machines which have NFS access to user
disks on a server. These machines may even be turned OFF which makes it
easy for a spoofer to get in.), I wrote a short Perl script designed to
be run from the system startup file.  Basically, it fills the ARP cache
on Linux with the IP and MAC addresses of known machines, setting a flag
so that they are never removed from the cache and can never be changed.

The config file format is simple -- IP address followed by MAC address,
separated by whitespace.  Pound at the beginning of a line indicates
comment.
For example:
# vi ip_mac.conf
# IP_Address MAC_Address
10.1.1.2 aa.bb.cc.dd.ee.ff
...
...


This has only been tested on Linux -- people on other platforms may need
to adjust the parameters to arp in the system call.

It is a quick 'n' dirty program, but works -- maybe it will be useful to
somebody out there, too.

Note: you want to make sure that it is run after your network interface is
brought up but before any servers or clients are started; otherwise,
somebody may be able to sneak in a connection before the ARP tables are
"locked".

Here is the Perl script:

# vi force_hw_addr.pl

#!/usr/bin/perl -w
# Program: force_hw_addr.pl
# Program to run ARP to force certain tables.

# Specify filenames(Redirection) or stdin

foreach (<>)    # For each input line....
{                 
 chomp;                        # Strip if CR/LF
 if (/^#/)
 {
   next;
 }           # If it's a comment, skip it.
if (((($host, $hw) = /\s*(.+?)\s+(\S+)\s*/) == 2) &&
     !(/^#/))
 {
 # The text between the slashes parses the input line as follows:
     # Ignore leading whitespace.  (\s*)
     # Then, start matching and put it into $host ($host, (.+?))
     # Skip over the whitespace after that (\s+)
     # Start matching.  Continue matching until end of line or optional
     # trailing whitespace.

     # Then, the if checks to see that both a
     # host and a hardware address were matched.
     # (2 matches).  If not, we skip the
     # line (assuming it is blank or invalid or something).
     # The second part of the if checks to see if the line starts with
     # a pound sign; if so, ignore it (as a comment).

     # Otherwise, run the appropriate command:
   printf("Setting IP %-15s to hardware address %s\n", $host, $hw);
   system "/usr/sbin/arp -s $host $hw\n";
 }
}

Example execution.

# ./force_hw_addr.pl < ip_mac.conf

I hope that this script will help you access resources in
your network and prevent DoS/Man-in-Middle Attack.
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)