My security students often are a little mystified about the true nature of security as a practice. Here’s a good example of “old school” security: what I’ll label a “LAN tool,” WinArpAttacker. There’s a review at TechKranti.com (http://www.techkranti.com/2010/09/scan-attack-detect-protect-on-lan.html), with points for completeness but marked with some language problems.
I call this a LAN tool because it works in an Ethernet environment. It’s MAC-address-centric, which is to say this isn’t an Internet tool per se. (Remember, Network students, that Layer 2 can just as easily be ATM over SONET, Frame Relay over T1, DOCSIS over cable, or heck, PPP over dial-up.)
But if you want to enumerate hosts on a LAN, this thing is a ninja sword. And remember all that discussion of man-in-the-middle attacks? This is the tool for the job. Want to knock a host off the net? ARP spoofing or a deliberate IP address conflict will keep your target wailing for tech support.
So why do we care? We’re the good guys, right?
Because WinArpAttacker also serves to detect its own attacks, and similar attacks from other vectors. It provides the detection that lets you log, or launch appropriate countermeasures. Which will be discussed elsewhere….