ARP protocol and ARP Spoofing

ARP Overview

　　
ARP is the abbreviation of Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.

When ARP is working, an Ethernet broadcast packet containing the desired IP address is sent. The destination host, or another system that represents the host, responds with a packet containing an IP address and an ethernet address pair. The sender caches the IP address to save unnecessary ARP communication.
　
If an untrusted node has the write access permission to the local network, there is also a risk. In this way, a machine can publish fake ARP packets and turn all the communication to itself. Then it can act as some machines, or simply modify the data stream by the way. ARP often works automatically. In a particularly secure network, ARP ing can use firmware and has automatic suppression protocols to prevent interference.

Figure 1 ARP packet format on Ethernet

Figure 1 shows an example of an ARP packet used for IP-to-ethernet address translation. In the figure, each row is represented by 32 bits, that is, four eight bits.
The hardware type field specifies the type of the hardware interface that the sender wants to know. The value of Ethernet is 1. The protocol type field specifies the high-level protocol type provided by the sender. The IP address is 0806 (hexadecimal ). The hardware address length and protocol length indicate the length of the hardware address and the high-level protocol address, so that ARP packets can be used in any hardware and any protocol network. The operation field is used to indicate the purpose of the packet. The ARP request is 1, the ARP response is 2, The RARP request is 3, and the RARP response is 4.

When an ARP request is sent, the sender fills in the sender's header and sender's IP address, and also fills in the target IP address. When the target machine receives the ARP broadcast packet, it will fill in its 48-bit host address in the Response Message.

Let's take a look at the arp command in windows 2000. (If the content in the arp table is blank, you need to connect a host first, for example, ping the target host to generate an arp entry ):

Run the "arp -- a" command to display the table corresponding to the host address and IP address, that is, the arp cache information stored in the machine. This cache stores the ing records between the nearest Internet address and the hardware address. The survival time of each item in the cache is generally 20 minutes, And the start time starts from the time when it is created.

 

When you run the ping command above, you can listen to it:
We will hear a lot of packets. We take two packets related to our arp Protocol:

 

ARP Spoofing

Let's first review the principles of the ARP protocol mentioned above. In a TCP/IP network environment, the route table defines how an IP packet goes. However, when an IP packet reaches the network, which machine responds to this IP packet is identified by the hardware mac address contained in this IP packet. That is to say, only machines with the same hardware mac address as the hardware mac address in the IP packet will respond to this IP packet, because in the network, each host will send an IP packet, therefore, there is an arp --> hardware mac conversion table in the memory of each host. It is usually a dynamic conversion table (this arp table can be manually added with static entries ). That is to say, the corresponding table will be refreshed by the host after a certain interval. This interval is the timeout time of ARP cache.

Generally, before the host sends an IP packet, it needs to find the hardware mac address corresponding to the IP packet in the conversion table. If the IP packet is not found, the host sends an ARP broadcast packet, the host refreshes its ARP cache. Then the IP package is sent out.

After learning this knowledge, we can now talk about how to implement ARP spoofing In the Ethernet. Let's look at this example.
ARP spoofing for the same network segment
　
ARP spoofing for the same network segment

Figure 2 arp spoofing for the same network segment

As shown in figure 2, three hosts
A: IP address 192.168.0.1 hardware address AA: AA
B: IP address 192.168.0.2 hardware address BB: BB
C: IP address 192.168.0.3 hardware address CC: CC

An intruder located in host B wants to illegal access to host A, but the host is installed with A firewall. By collecting information, he knew that the firewall of host A only had A trust relationship with host C (open port 23 (telnet )). But he must use telnet to access host A. What should he do at this time?

In this case, the attacker must make host A believe that host B is host C. If the trust relationship between host A and host C is built on the IP address. If the IP address of host B is changed to the same as that of host C, it cannot work, at least it cannot work reliably. If you tell the driver of the Ethernet card that your IP address is 192.168.0.3, This is a pure competition and cannot be achieved. We can first study the machine C. If we can temporarily drop this machine, the competition can be removed. This is still possible. When machine C fails, change the IP address of machine B to 192.168.0.3. In this way, you can successfully telnet to machine A through port 23, and bypass the firewall restrictions.

The above idea does not work in the following cases. If the trust relationship between host A and host C is based on the hardware address. In this case, host A needs to use ARP spoofing to change the hardware address mapped to 192.168.0.3 in its ARP cache to the hardware address of host B.

We can manually create an arp_reply response packet and send it to the host to be spoofed. This is possible because the Protocol does not stipulate that the response packet can be sent only after arp_echo is received. there are many such tools. We can also use snifferpro to capture an arp response packet and then modify it.

You can create this package manually. You can specify the source IP address, target IP address, source MAC address, and target MAC address in the ARP packet.
In this way, you can use A false ARP response packet to modify the dynamic ARP cache on host A for spoofing purposes.
The procedure is as follows:
1. He first studied the 192.0.0.3 host and discovered the vulnerability.
2. Host C is suspended for the moment based on the discovered vulnerabilities.
3. During this period, intruders changed their ip address to 192.0.0.3.
4. he used A tool to send A packet with the source IP address 192.168.0.3 and the source MAC address BB: BB to host A, and asked host A to update its arp conversion table.
5. The host updates the ip address of host C in the arp table --> mac correspondence.
6. If the firewall fails, the compromised ip address becomes a valid mac address, and you can telnet.

The above is an ARP spoofing process, which occurs in the same network segment. However, note that the above method does not work when B and C are in different network segments.

ARP spoofing for different network segments

ARP spoofing for different network segments

Figure 3 ARP spoofing between different network segments

As shown in 3, A and C are in the same network segment while host B is in another network segment. The IP addresses and hardware addresses of the three machines are as follows:
A: IP address 192.168.0.1 hardware address AA: AA
B: IP address 192.168.1.2 hardware address BB: BB
C: IP address 192.168.0.3 hardware address CC: CC

In the current situation, how does host B in the CIDR block of 192.168.1 impersonate host C and cheat host? Obviously, even if spoofing succeeds, the telnet session cannot be established between host B and host A, because the router will not forward the packet from host A to host B, the router will find the address at 192.168.0. within this CIDR block.

Now, another spoofing method-ICMP redirection is involved. The combination of ARP spoofing and ICMP redirection can basically achieve the goal of cross-network segment spoofing.

What is ICMP redirection?

ICMP redirection is one of ICMP control packets. Under certain circumstances, when a router detects that a machine uses a non-optimized route, it will send an ICMP redirection packet to the host and request the host to change the route. The router also forwards the initial datagram to its destination. We can use ICMP redirection packets for spoofing purposes.

The following describes how to perform an Attack Based on ARP spoofing and ICMP redirection:
1. In order to make the illegal IP packet sent by the user survive for a long time on the network, the ttl of the IP packet is modified to prepare for possible problems in the following process. Change ttl to 255. (ttl defines the time for an IP packet to survive on the network if the network cannot reach the host. In this example, it is helpful to make enough broadcast)
2. Download a tool (for example, hping2) that can make various packages freely)
3. In the same way as above, find the vulnerability of host C and take host C as appropriate.
4. After the network host cannot find the original 192.0.0.3, the corresponding ARP table will be updated. So he sent an ARP response packet whose original IP address is 192.168.0.3 and its hardware address is BB: BB.
5. now every host knows that a new MAC address corresponds to 192.0.0.3, and an ARP spoofing is completed. However, each host will only find this address in the LAN and will not throw the IP packet sent to 192.0.0.3 to the route. So he has to construct an ICMP redirection broadcast.
6. customize an ICMP redirection package to tell the host on the Network: "the shortest route to 192.0.0.3 is not a LAN, but a route. Please redirect the host to your route path, all IP packets destined for 192.0.0.3 are dropped to the route. "
7. host a accepts this reasonable ICMP redirection, so it modifies its route path and throws communication on 192.0.0.3 to the router.
8. The attacker can finally receive an IP packet from the host in the route. He can telnet to the host's 23 ports.

In fact, the above idea is just an ideal situation. The ICMP redirection packet that the host permits to receive actually has many restrictions. These conditions make ICMP redirection very difficult.

In TCP/IP implementation, the host has the following restrictions on receiving ICMP redirection packets:
1. The new route must be direct.
2. The redirection package must come from the current route to the target
3. The redirection package cannot notify the host to use its own route
4. The changed route must be an indirect route.

Because of these restrictions, ICMP spoofing is actually difficult to implement. However, we can also take the initiative to find some other methods based on the above thinking. More importantly, we know the dangers of these spoofing methods, and we can adopt appropriate defense methods.

Defense Against ARP Spoofing

Given the methods and harms of ARP spoofing, we provide some preliminary defense methods:
1. Do not establish your network security trust relationship on the basis of an IP address or a hardware mac address.