Posts‎ > ‎

Ettercap (Part 2), ARP Poison and Cisco switches

posted Oct 21, 2013, 9:52 AM by Marc Kerscher   [ updated Oct 21, 2013, 9:56 AM ]
This is part two of my series on how to manage Ettercap on Cisco switches. As posted in my previous article my lab is setup as follows:

I'm using the Unbuntu 12.04 LTS server as the ettercap machine, that will ARP poison WinXP Client 1 (top one), using the following command:

ettercap -T -w dump -M ARP / //

Now before going any further, let's see what ettercap is actually doing on the wire:

It looks like all the active IPs on the LAN (only a couple) get ARPd to the ettercap device. Also notice that this ARP is repeated every 10 seconds.

Screenshots of the ARP cache on the windows machine:

BEFORE                                                                    AFTER

Even the layer 3 devices are affected:

Now to the point of how can this be avoided. Cisco switches have a feature called dynamic arp inspection, which is built on to of dhcp snooping, which you have to enable, too. WARNING !!! Now you need to be careful in implementing these, as it's very easy to bring down your network if you are not careful. 

The commands on the switch are straight forward:

ip dhcp snooping vlan 10
no ip dhcp snooping information option (this command is needed if you have an IOS dhcp server)
ip dhcp snooping
ip arp inspection vlan 10

These are the global commands, now there are port commands that need to be placed on the uplink ports between switches:

interface FastEthernet0/24
 ip arp inspection trust
 ip dhcp snooping trust

Also if you are running etherchannels, they also need the commands:

interface Port-channel23
 ip arp inspection trust
 ip dhcp snooping trust

Turning these two features on will generate output as shown below:

The switch is now actively dropping ARPs associated with ettercap. Just not enough ARPs to trigger the port shutdown feature.  

Looking at the XP client, no more traffic and after a little while even the local ARP is clear:

Looking at the Layer 3 switches, their arp is still poisoned. ICMP to the default gateway does not work. Looks like the XP client is lost/confused. (side affect of running hacking tools / DOS) Even turning off ettercap does not help. 

I will give all the machines a reboot. That updated the ARP and XP client is back. Now let's launch ettercap on a Cisco switch with DHCP snooping and DAI running:

PORT DISABLED !!! Now the reason why the port was disabled, was due to the fact that once ettercap laucnhes, it sends out ARPs for all devices on the subnet, in this case the /24. By default ARP inspection triggers at 15 packet per second. 

Copyright Kerscher Computing LLC 2013