This tool is for prevention. ARPFreeze lets
you setup static ARP tables so that other attackers (using Cain, Ettercap,
Arpspoof or some other tool) can't pull off an ARP poisoning attack against you. Windows
has tools built in for doing this (the arp command and netsh) but these are not
easy or automated, so I created ARPFreeze, a simple automation script. It looks
at your current ARP table, and lets you make entries static. It may help someone
in hardening a box against Man in the Middle attacks that use ARP poisoning. I'll describe it's
usage, and what it's doing in the background, side by side with screen shots
from
version 0.1 of the tool (I may not always update these screen shots as I update
the tool, but the same general idea is there). If you really want to know what
is going on in the background look at the source code that is includes in the download.
1.
If the arpstaticscript batch file exists, it asks if you want to
add to it, or delete it. The arpstaticscript.bat file is used when you schedule
the static ARP table to be set at boot time.
2.
Vista is a little weird, and so is Windows 7 for that matter.
On most Windows OSes before Vista, you just had to do a command something akin
to "arp -s 192.168.1.1 de-ad-be-ef-ca-fe"
to set a static ARP entry, but in Vista (and Windows 7 RC) this would many times
give you the error: The ARP entry
addition failed: 5
To get around this I did some Googling and playing around and
found that this command will work in Vista/Windows 7 (changed to the appropriate
IP and MAC address of course):
netsh -c "interface
ipv4" set neighbors "Wireless Network Connection" "192.168.1.1" "de-ad-be-ef-ca-fe"
instead of doing it by connection name, I do it by connection
Idx, which you will see shortly. If you are using something newer that Windows
XP, than choose yes at this dialog box.
3.
If you choose yes
to the Vista Netsh workaround dialog, then it will prompt you to select
which adapter to set a static ARP entry for.
4.
In the background
ARPFreeze looked at your current ARP table, and will now ask you which
entries you wish to make static (iterating though your whole ARP table).
This means that you will have to make sure you have contacted them recently
so they appear in the table. I figured this was a lot nicer than asking you
to type in MAC address manually. This dialog also gives you information
about the target IP (such as if it is a TCP/IP gateway or reverse DNS entry
if it has one) and who owns the MAC address via it's OUI (this may help you
spot fakes). Just click yes on the entries you wish to make static. I
recommend only making static entries to your subnets gateway, and to key
servers.
5.
Next, ARPFreeze
will ask you if you want to make these ARP entries static on every boot. In
XP, the static ARP table seems to disappear when you reboot, but in Vista
and Windows 7 they seem to be persistent. Either way, this option makes sure
to set the static entries at boot time buy using the scheduler.
6.
This dialog just
lets you know the command that ARPFreeze is going to use to schedule the
task:
schtasks /create /tn
SetStaticArp /tr "\"arpstaticscript.bat"\" /sc ONSTART /ru system
7.
At this point you
are done. The ARP entries you chose should now be static, and arpstaticscript.bat
should reapply your changes at boot time if you chose that option. If you
ever want to remove all of the settings, just use the "Remove All ARP
Settings.bat" script I put in the source director. It's also a good idea to
check that you entries are indeed static by using the arp -a command.
Hope this is of use
to someone. I've tested it against Cain and it seems to work fine, but I'd like
to get feedback from other people testing it.
RSS
Printable version of this article