I wonder how many of you tried netCut after reading yesterday’s article? Don’t you find it kind of hard to believe that netCut has been available for so long yet so many computers is affected by this attack just because of the standard of ARP. Attacking computers with netCut seemed to be fun for script kiddies but the person who got cut is no fun at all.
If you felt that your Internet connection that is shared on network being cut off when others is working fine, then here is how you can determine whether if someone is really poisoning your ARP cache. Other than that, if you’re connected to a public wi-fi, you should protect your computer against these attacks. Even when you think you are on a paid wifi which seems to be safer, you’re wrong because someone could cut off your Internet and then spoof their computer as your computer to get free internet on a paid wifi.
I did some research on how to protect against netCut and here are a few working ones. Not all can protect against netCut, for example Anti Netcut by tools4free and StopCut. Both of these anti netcut tools doesn’t work and annoying as well because every once in a while, an advertisement window will popup. In fact I even got a warning from Comodo Firewall that Anti Netcut is trying to secretly connect to a FTP server. In the Arcai’s netcut Software 2.0, there is a checkbox “Protected My Computer” which supposedly to protect your computer against Arcai’s netcut Software but it didn’t work on my Windows XP SP3 computer.
A working third party software that can intercept ARP spoofing/ARP attacks/ARP poisoning, intercept IP Address conflict, prevent Dos attack, safety mode, ARP flow analysis, protect ARP cache, active defense, locate attacker and ARP virus cleaner is AntiARP.
There are 2 version of AntiARP which is the Personal Edition and the Server Edition. Unfortunately both versions are shareware. The Personal edition can only work on desktop operating system such as Windows 2000, XP and Vista. If you want to use it on Windows server based OS, then you have to go for the Server edition which cost more. It can automatically block netCut’s attack and also let you know who is the attacker.
So far I found out that the free Comodo Firewall is able to protect your computer against ARP poisoning but you have to enable it as it is disabled by default. Click on Firewall at the top bar and then click Advanced button at the left pane. Go to Attack Detection Settings and check “Protect the ARP Cache”.
As for Kaspersky Internet Security 2010 users, sorry to let you know that it doesn’t block netCut attacks.
Related posts:
Dude, XArp uses large set of detection modules to analyze the network . ..
The irony is that i’m using NetCut right now to read this article >.<
thank u but i don’t understand :(
Have a look at XArp: its free, GUI-based, available for Windows and Linux:
chrismc.de/development/xarp/
XArp uses a large set of detection modules to analyze the network, and further uses active validation of the network to pro-actively detect attackers.
For ARP poisoning protection I use ARP AntiSpoofer, it’s free.
sourceforge.net/projects/arpantispoofer/
I try it with netcut and Cain and Abel. You can even protect your Gateway and other host.
got netcut by guy across the street jack mt pc w/vista had to reboot vista & online armor did not work how do i stop him help wa631@aol.com
I wunder why there not are a link to that Netcut program… I think there should, becourse it can be fun to see it in action on an own network.
Is it not possible to find?
comodo firewall version 2.4.18.184 does not have the option PROTECT THE ARP cache ..CAN ANY ONE PLEASE HELP
OR give the version of comodo firewall which helps in
ARP poisoning . does this resolve ip conflict on lan network
does any software help avoid ipconflict
Anti-apr 6.01 is not successful on all lan networks..
cannot understand why… ip conflict does exist with anti-arp 6.01 installed and running
can any one help please
comodo firewall version 2.4.18.184 does not have the option PROTECT THE ARP CAN ANY ONE PLEASE HELP
OR give the version of comodo firewall which helps in
ARP poisoning . does this resolve ip conflict on lan network
Anti-apr 6.01 is not successful on all lan networks..
cannot understand why… ip conflict does exist with anti-arp 6.01 installed and running
can any one help please
arp -s to set a static route. fixed mac address and ip address so my computer will only get data/watever from the ip/mac. making the netcut useless and then i will start annoy the person back by mass downloading.
well i use a old method which is to display the arp table in cmd.
arp -a and then match whose mac address is the same with the router mac address. if i found out, example 192.168.1.1 and 192.168.1.123 is having the same mac address, i will find out who is 192.168.1.123 . then i will directly block him from using internet on the router or i will set at static arp route from my pc to the router via cmd.
@Adn:
We’re not talking about Kaspersky vs ESET.
We’re talking about COMODO, which is FREEWARE.
Help Ray. Do you know any alternative server for comodo. The universities proxy server blocked default comodo server
did you test if other firewalls can block netcut?
hi Raymond sir can I know that whether Bitcomet anti arp serve the above purpose. Not only Raymond sir anyone bumping out here can answer to me, please answer !!!
Hi Raymond, I am already a bit frustrated about my situation. I am working on-board a ship, not an unussual fan of yours right? We have internet connection through sattelite even on the ocean. Last week we have a new captain who is so mad about himself if I may say. He started to install websense to block sites and the connection now is too slow. This was not the case before Im sure he made something on our server. I really need your help how to bypass websense and anyway I can get NetCut and how to increase speed? I appreciate if you can e-mail me on my add siocon1976@yahoo.com, enriquez_jv@yahoo.com.
Since our connection now is too slow because of this captain. Thanks in advance Ray…
Regards from the middle of Atlantic…………..
OutpostFirewallPro and OnlineArmor also can protect your computer from ARP-attacks …
Hey Raymond, did you test if other firewalls can block netcut?
In system mechanic, in the “fix vulnerabilities” tab it has options to test the network for null sessions, host file redirections and dos attacks. Would this fix what netcut does?
BTW: I don’t use system mechanic for security.
I don’t link this:
McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Backdoor.N
VBA32: Trojan.Win32.AddUser.m
But the “Heuristic” means it don’t use signatures and I don’t really trust/know VBA32.
So I hope this program is clean Raymond!
I don’t mean to fuel the flame of the old fight Kaspersky vs ESET, but ESET Smart Security v4 DOES detect and protect of any ARP poisoning attack… =)
One or two week ago, i had bad sides effects when trying this software on my windows 7 rc… And i had to use a restoration point to get ride of it.
Not really tested but xarp chrismc.de/development/xarp/ seems to be a better software
Hey Raymond, do you have any suggestions on a good proxy software? I can’t trust other sites or forums to suggest one besides yours. It’s been like a year and so on since your last post about one.
hey how nivek_hcerg? and where is the video?
@Sqyber: antiarp site is in yellow coz users rated it. This site is not verified by mywot.
why is antiARP site yellow in wot but no comments ?
mywot.com/en/scorecard/antiarp.com
On milw0rm I found out a video of how to get free internet (from paid wifi) using netcut. All I can say is that it’s simply amazing how he cheated the router :X
A phoney announcement may be made in a number of ways for a number of reasons. The
following table briefly explains these factors.
The techniques for protecting the network are the same for all these phoney
announcements: reject gratuitous ARPs, and control access to ports with DHCP snooping
and ARP security.
+++++++++++++++++++++++++++++++++++++++
If the ARP or GARP packet contains… Then…
+++++++++++++++++++++++++++++++++++++++
▲MAC that does not exist on network and
IP address that does not exist on network
★the attacker may be trying to fill up the IP ARP table
so that the subnet’s router cannot learn more
addresses. As a result, return (routed) traffic may
not be forwarded.
▲MAC that is owned by attacker and
IP address that does not exist on network
★the attacker is using an IP address that the
administrator has not assigned and so may be trying
to avoid traceability.
▲MAC that is owned by attacker and
IP address that is owned by another host
★the attacker is trying to intercept traffic destined for
this host.
▲MAC that is owned by attacker and
IP address that is owned by the subnet router
★the attacker is trying to intercept all traffic leaving
the subnet.
▲MAC does not exist on network and
IP address that exists on network
★the attacker is trying to cause traffic to this IP
address to flood to all hosts in the subnet. However,
hosts disregard the flooded traffic because it is not
addressed with any host’s MAC address. This means
that the attacker receives the traffic and its intended
recipient ignores it.