[C #] Remember ARP spoofing for a lab LAN

Cause

One day noon nap, the author was the fierce keyboard and mouse sound woke up, found that the lab's classmates in that selfless play lol, circumnavigated uncomfortable, so decided to complete him. After thinking about it, I think let him drop the line as punishment. Combined with the previous theoretical knowledge, everyone in the same LAN, with ARP spoofing is obviously a good way, so there is the next story of this article.

ARP spoofing theory

First of all, to sort out the theoretical knowledge of ARP spoofing. ARP spoofing [1] (English: ARP spoofing), also known as ARP virus (ARP poisoning) or ARP attack, is an attack technique for Ethernet Address Resolution Protocol (ARP). This type of attack can allow an attacker to acquire packets on the LAN or even tamper with the packets, and make it impossible for a particular computer or all computers on the network to connect properly.

In the Ethernet LAN, the packet transmission depends on the MAC address, the IP address and Mac relationship depends on the ARP table, each host with TCP/IP protocol (including the Gateway) has an ARP cache table. This table holds the control relationship between the IP address and MAC address of each computer in this network.
Under normal circumstances, the ARP cache table can effectively guarantee the one-to-one performance of data transmission. However, the ARP protocol corresponding to the ARP cache table maintenance mechanism is imperfect, when the host receives an ARP reply packet, it does not verify whether or not to send the ARP request, but rather directly the answer packet in the MAC address and IP corresponding to the relationship between the original ARP cache to replace the corresponding information. This is the root cause of ARP spoofing .

To summarize briefly, ARP spoofing can be broadly divided into the following three types:

1. Fake host

Spoofing source C disguised itself as a LAN in another host B, so that the LAN sent to the B messages are flowing to C. The process of forging a host is similar to forging a gateway.

Figure 1: Fake host

In Figure 1, we assume that there are three hosts in the LAN, namely, the gateway, the spoofing source and the host, their IP MAC address is marked in the diagram. The spoofing source sends an ARP message to the gateway at every interval of time, with the contents of my IP address 192.168.1.3 (spoofed host IP), and my MAC address is BB-BB-BB-BB-BB-BB (own MAC address). When the gateway updates the ARP cache table, the wrong IP and Mac mappings are registered in the ARP cache table, and the next time the gateway forwards the message, it sends the message to the spoofed host. This reaction to the reality is that the host was cheated off the net .

2. Forge the Gateway

The spoofing source disguises itself (or other non-gateway host) as a gateway and sends an ARP response message to the spoofed host in the LAN. The Mac that makes the host in the LAN mistaken for a spoofed source is the Gateway MAC address. So that data destined for the gateway is mistakenly sent to the spoofing source. Its simple 2 shows:

Figure 2: Forged Gateway

We still use the above three host example to explain that the host's IP and Mac have not changed, but this deception source to the host to send ARP messages, the contents of the message, My IP is 192.168.1.1 (I am the gateway), my MAC address is BB-BB-BB-BB-BB-BB (the MAC address of the spoofing source). This way, when the spoofed host receives the ARP message, the Mac with the IP address of 192.168.1.1 is updated as the spoofing source Mac. In this way, the host to the gateway to send data when in fact all sent to the source of deception, this reaction to reality is actually also cheated the host dropped the line. The second case, of course, is a discrepancy between the empirical theory and the actual situation, which is explained below.

3. Bidirectional deception

The third is actually the combination of the two ways, both deceive the gateway and deceive the host, to achieve the purpose of two-way deception, here will not repeat.

Specific implementation

It is also possible to construct an ARP message via the Windows API, but thanks to the great open source community, we can use WinPcap or its C # package Sharppcap to implement it, which greatly simplifies our implementation process. In fact, this article does not intend to introduce the details of programming, because I think it is not a problem to write an ARP spoofing tool with the above tools after I understand the principle. So let's just take a look at this tool, 3 shows.

Figure 3:arp Deception Tool

Before we start ARP spoofing, we have to scan all the hosts in the LAN to get their IP address and Mac mapping, which can be passed through the ARP request message, one by one scanning the past.

Then choose one of the IPs (MAC) to do ARP spoofing. ARP Storm is the author of another function, the principle is to constantly construct the ARP request message to keep asking all the hosts in the LAN, so that they constantly make a response to exhaust the LAN bandwidth resources, resulting in the illusion of network cards. But it seems to be because the current switch bandwidth is large enough, and there is no egg to use.

Effect

When using ARP Gateway spoofing (that is, corresponding to the fake host above), the effect is very ideal, the classmate dropped the line, and how can not be re-connected, very anxious ...

But when using ARP host spoofing (that is, corresponding to the forged gateway above), the effect is beyond my imagination, and all the lab hosts are off-line, including the author's computer. Later I analyzed the reason, theoretically this false ARP response message (that is, the author of the computer disguised as a gateway to be deceived host transmitter) is sent to the host, the other host should not be received. However, in fact, other hosts see the ARP Response message sent back from the gateway, whether it is sent to their own, will be accepted, and then update their own ARP cache table. Indeed, this is justified, because when the MAC address of the gateway changes, the host of the LAN should update the ARP cache table the first time, instead of waiting for the gateway to send you the update, it is too late.

Conclusion

The author does not intend to expose the ARP spoofing tool and its code, after all, is not a useful tool, and can be used to do bad things (of course, it is easy to write one of their own). If you are interested in communication, I am happy to send a copy of ^_^

Reference documents

ARP Spoofing http://zh.wikipedia.net.ru/wiki/ARP%E6%AC%BA%E9%A8%99

[C #] Remember ARP spoofing for a lab LAN