A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




ARPFreeze: A tool for Windows to protect against ARP poisoning by setting up static ARP entries

ARPFreeze: A tool for Windows to protect against ARP poisoning by setting up static ARP entries

 

 

Download ARPFreezeNG 0.2
(Windows 7, Vista , Window 2008)

Download ARPFreeze 0.1
(Windows XP)

        I've created quite a bit of content about ARP poisoning, such as:

http://www.irongeek.com/i.php?page=security/AQuickIntrotoSniffers
http://www.irongeek.com/i.php?page=security/arpspoof
http://www.irongeek.com/i.php?page=videos/using-cain-to-do-a-man-in-the-middle-attack-by-arp-poisoning

        I've even done some work on detection:

http://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-windows
http://www.irongeek.com/i.php?page=videos/finding-promiscuous-and-arp-poisoning-sniffers-on-your-network-with-ettercap

        This tool is for prevention. ARPFreeze/ARPFreezeNG lets you setup static ARP tables so that other attackers (using Cain, Ettercap, Arpspoof or some other tool) can't pull off an ARP poisoning attack against you. Windows has tools built in for doing this (the arp command and netsh) but these are not easy or automated, so I created ARPFreeze, a simple automation script. It looks at your current ARP table, and lets you make entries static. It may help someone in hardening a box against Man in the Middle attacks that use ARP poisoning. I'll describe it's usage, and what it's doing in the background, side by side with screen shots.

        I've made two versions. The newer one (ARPFreezeNG) should work in Windows 7, Vista , Window 2008 or any version that supports the netsh "interface ipv4" neighbors options. ARPFreezeNG should be pretty self-explanatory. It's just a simple GUI where you can check off the ARP table entries you wish to make static, and hit apply.

        Source code is included for those that want to see how it works, or wish to modify it to work on older versions of Windows like XP/2003. The code could do with a lot of cleanup, I was coding it while watching "The Big Bang Theory" and was rather distracted by Kaley Cuoco at the time.

        The older version (ARPFreeze 0.1) of the tool  is not as pretty, and is driven by choosing options as you are prompted. If you really want to know what is going on in the background look at the source code that is includes in the download.

1.

        If the arpstaticscript batch file exists, it asks if you want to add to it, or delete it. The arpstaticscript.bat file is used when you schedule the static ARP table to be set at boot time.

2.

        Vista is a little weird, and so is Windows 7 for that matter. On most Windows OSes before Vista, you just had to do a command something akin to "arp -s 192.168.1.1 de-ad-be-ef-ca-fe" to set a static ARP entry, but in Vista (and Windows 7 RC) this would many times give you the error:  The ARP entry addition failed: 5

        To get around this I did some Googling and playing around and found that this command will work in Vista/Windows 7 (changed to the appropriate IP and MAC address of course):

netsh -c "interface ipv4" set neighbors "Wireless Network Connection" "192.168.1.1" "de-ad-be-ef-ca-fe"

        instead of doing it by connection name, I do it by connection Idx, which you will see shortly. If you are using something newer that Windows XP, than choose yes at this dialog box. If you are using Vista or  7, you are probably better off using ARPFreezeNG.

3.

        If you choose yes to the Vista Netsh workaround dialog, then it will prompt you to select which adapter to set a static ARP entry for.

4.

        In the background ARPFreeze looked at your current ARP table, and will now ask you which entries you wish to make static (iterating though your whole ARP table). This means that you will have to make sure you have contacted them recently so they appear in the table. I figured this was a lot nicer than asking you to type in MAC address manually. This dialog also gives you information about the target IP (such as if it is a TCP/IP gateway or reverse DNS entry if it has one) and who owns the MAC address via it's OUI (this may help you spot fakes). Just click yes on the entries you wish to make static. I recommend only making static entries to your subnets gateway, and to key servers.

5.

        Next, ARPFreeze will ask you if you want to make these ARP entries static on every boot. In XP, the static ARP table seems to disappear when you reboot, but in Vista and Windows 7 they seem to be persistent. Either way, this option makes sure to set the static entries at boot time buy using the scheduler.

6.

        This dialog just lets you know the command that ARPFreeze is going to use to schedule the task:

schtasks /create /tn SetStaticArp /tr "\"arpstaticscript.bat"\" /sc ONSTART /ru system

7.

        At this point you are done. The ARP entries you chose should now be static, and arpstaticscript.bat should reapply your changes at boot time if you chose that option. If you ever want to remove all of the settings, just use the "Remove All ARP Settings.bat" script I put in the source director. It's also a good idea to check that you entries are indeed static by using the arp -a command.

        Hope this is of use to someone. I've tested it against Cain and it seems to work fine, but I'd like to get feedback from other people testing it.

Change Log:

01/03/2011:ARPFreezeNG 0.02 released.
06/07/2009:ARPFreeze 0.01 released.

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast