General Security Concepts: Attacks • Chapter 2  71

                             This will start the attack using interface fxp0, and will intercept
                             any packets bound for 10.10.0.1. The output will show you the
                             current ARP traffic.
                         5. Congratulations, you’ve just become your gateway.

                         You can leave the arpspoof process running, and experiment in
                      another window with some of the various sniffing tools which dsniff
                      offers. Dsniff itself is a jack-of-all-trades password grabber. It will fetch
                      passwords for Telnet, FTP, Hypertext Transfer Protocol (HTTP), Instant
                      Messaging (IM), Oracle, and almost any other password that is trans-
                      mitted in the clear. Another tool, mailsnarf, will grab any and all e-mail
                      messages it sees, and store them in a standard Berkeley mbox file for
                      later viewing. Finally, one of the more visually impressive tools is
                      WebSpy. This tool will grab Universal Resource Locator (URL) strings
                      sniffed from a specified host, and display them on your local terminal,
                      giving the appearance of surfing along with the victim.
                         You should now have a good idea of the kind of damage an attacker
                      can do with ARP spoofing and the right tools. This should also make
                      clear the importance of using encryption to handle data. Additionally,
                      any misconceptions about the security or sniffing protection provided by
                      switched networks should now be alleviated thanks to the magic of ARP
                      spoofing!





                 E-mail Spoofing
                 Spam is a major problem in today’s Internet.And some of the techniques that
                 spammers use include e-mail spoofing, where the e-mail sender changes the
                 FROM field of the e-mail so that it appears that the message came from a trusted
                 source or domain.
                    Few users would open an e-mail from mailto:defcon@xploits.com with an
                 attachment called “Sexy Screensaver.scr,” but a lot more users would open an attach-
                 ment called “Vacation Schedules.xls” from mailto:hr@yourcompany.com. E-mail
                 spoofing is extremely easy to do, as seen in Exercise 2.02, and hard to stop. User
                 education is the best defense against e-mail spoofing, along with proper configura-
                 tion of the e-mail protection programs the company has.








                                                                              www.syngress.com