3/27/08

Man in the Middle Attacks by defualt Gateway Redirect

This is also a simple attack. The attacker either disables the primary DHCP server using a denial of service attack then operates their own DHCP server, or they simply setup a faster DHCP than the one already on the network. When a client sends out a DHCP request it accepts the response from whichever DHCP responds first.

If the attacker wants to see all the traffic you are sending out of your local subnet, then they simply respond to your DHCP request, and specify there own machine as the default gateway. The attacker's machine then forwards on any traffic to the real default gateway. Now the attacker can see everything your sending (perfect for username and password theft, identify theft, or capturing other sensitive information).

Mitigation
Cisco have a technology to overcome this called DHCP snooping. What happens is you tell the switch which port(s) have a DHCP server plugged in. The switch then only allows that port to respond to DHCP queries. Simple. This feature is available on layer 3 switches such as the Cisco 3560, but note that the EMI feature set is often required. A limited form of DHCP snooping is available on layer 2 switches, but it can only limit the rate at which DHCP packets are sent.

First, enable the feature globally.
ip dhcp snooping vlan 1
no ip dhcp snooping information optionip
dhcp snooping

Then tell the switch to trust ports that have a DHCP server plugged into them.
interface FastEthernet x/y
ip dhcp snooping trust

That's the basic config done

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...