http://blogs.technet.com/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspxAfter investigating an ARP spoofing incident recently, I started thinking of how we could easily ferret out this sort of information when responding to a potential incident. In this particular case, there were two important parts of the attack: ARP spoofingen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspx#1461077Sat, 07 Jul 2007 01:07:52 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1461077CurtWilson<P>I believe there was some malware that was able to use javascript hackery to redirect and proxy HTTPS in a full-screen frame. The average user would not notice it. I believe I saw this demonstrated at BlackHat 06/Vegas and the only way you could tell was either by looking at the page source or noticing the small thin border around the page. So, I'd speculate that it's possible that by utilizing that technique + the ARP spoofing technique that you could redirect through the attackers local malicious proxy. I have not tested this. </P>http://blogs.technet.com/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspx#1515075Fri, 13 Jul 2007 21:32:27 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1515075Jordan<p>Curt: the malware can only take that approach if it's running on the local host and then by hooking into the browser or network stack. &nbsp;SSL security is end-to-end on the network so nobody anywhere in between can MITM it unless they've got a root-signed cert for the domain in question, or the user ignores a browser warning. &nbsp;</p> <p>Another way of detecting ARP poisoning using only built in tools or easy to script tests would be to ping all possible hosts on the local subnet (or broadcast address if that works -- I don't recall what conditions that will work with firewalls, different network stacks, etc, so that might not work) and then query the local arp cache to see if the &quot;gateway&quot; shows up for any other IPs on the network. &nbsp;It's not foolproof as I can think of a couple of ways the attacker could evade detection if he knew about it beforehand, or ways that might cause the router's mac to show up for other addresses, but generally speaking it should work fairly well. &nbsp;And it's an easy check to implement. &nbsp;I bet you it would have detected this particular malware fairly, showing the mac of the real machine's IP and the gateway IP as well.</p>http://blogs.technet.com/neilcar/archive/2007/07/05/detecting-arp-spoofing-attacks.aspx#1671899Wed, 01 Aug 2007 17:32:05 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:1671899James<p>I just noticed something similar on my university's campus network: in my case, it was a reference to a JavaScript file inserted at the top of Web pages. I haven't seen anything about this exploit anywhere else. It's a pretty scary exploit, since fundamentally you are relying on the network administrator to keep the network from being compromised--there's not much you can do if the network itself goes bad.</p>