226 Chapter 9 ■ Sniffers
FIGURE 9.3 Cain and AbelEnabling the IP DHCP Snooping feature on Cisco switches prevents ARP
poisoning. Questions regarding ARP-poisoning should make you think
IP DHCP Snooping. IP DHCP Snooping verifies MAC-to-IP mappings and
stores valid mappings in a database. For the CEH exam, focus on what the
command is and what it prevents.Take your newly honed sniffing skills and run a sniffer on a public Wi-Fi
network just for fun. Take a few minutes to watch how much ARP traffic
is captured. On a public network with new machines hopping on and off,
there’s usually a ton of traffic.MAC Spoofing
MAC spoofing is a simple concept in which an attacker (or pen tester) changes their MAC
address to the MAC address of an existing authenticated machine already on the network.
The simplest example of when this strategy is employed is when a network administrator
has applied port security to the switches on their network. Port security is a low-level secu-
rity methodology that allows only a specific number of MAC addresses to attach to each
switchport (usually one or two). If this number is exceeded (for example, if you take off
the original machine and attach one or two unrecognized units), the port will usually shut
down depending on the configuration applied. MAC spoofing isn’t necessarily a technique
used to allow network-wide sniffing, but it does work to allow an unauthorized client onto
the network without too much administrative hacking effort.