How to sniff the Exchange network and the principles of ARP con-arp interpretation

In sniffing Ethernet (generally referred to as sniffer can be used for network packet eavesdropping) (sniff) is not a good thing for network security, although network administrators are able to track packets and discover Internet problems, but only if the attacker uses them. Poses a serious security threat throughout the network.

As for sniffing (typically, a sniffer can eavesdrop on a network packet that flows through
　　
Sniffing within Ethernet (typically a sniffer can eavesdrop on packets flowing through the network) (sniff) is not a good thing for network security. Although it is possible for network administrators to track packets and discover

Network problems, but assuming the use of the attacker, it poses a serious security threat to the entire network. The pros and cons of sniffing (generally referred to as sniffing the packets that flow through the network) are not verbose.

ARP cache table

If such a network:

――――――――――

| HUB |

――――――――――

| | |

| | |

| | |

HostA HostB HostC

Of

The address of A is: ip:192.168.10.1 MAC:AA-AA-AA-AA-AA-AA

The address of B is: ip:192.168.10.2 MAC:BB-BB-BB-BB-BB-BB

The address of C is: ip:192.168.10.3 MAC:CC-CC-CC-CC-CC-CC

If B is part of a sniffer (generally referred to as a sniffer capable of eavesdropping on packets flowing through the network), for example a machine's ARP cache:

C:\>arp-a

interface:192.168.10.1 on Interface 0x1000003

Internet Address Physical Address Type

192.168.10.3 CC-CC-CC-CC-CC-CC Dynamic

This is the ARP cache table on the 192.168.10.1 machine, if. A pings the 192.168.10.3 operation. Ping Host C, will query the local

ARP cache table, locate the MAC address of the IP address of C. Then the data is transferred, and the destination is the MAC address of C. Suppose that there is no ARP for C in a

Recorded. Then a first broadcasts an ARP request. When C receives a request, it sends an answer that includes the MAC address of C, then a

Received a response from C. The local ARP cache is updated. The MAC address is then used to send the data (the MAC address is attached by the network card).

Therefore, the local fast cache of this ARP table is the basis for local network traffic, and the cache is dynamic.

Hub Network (hub-based)

Very many networks are connected using hubs.

When a packet is transferred to another computer via the hub, the hub simply broadcasts the packet

To all ports of the hub (the current on one end of the network is equal to the current on the other side of the output).

This is a network structure in the example above.

Now a needs to send a TCP packet to C. First, a needs to check the local ARP cache table. See if there is an ARP for IP 192.168.10.3 that is C

Recorded. Suppose not so a will broadcast an ARP request. When C receives the request, it makes an answer. Then a updates its own ARP cache table. And

and get the MAC address corresponding to the IP of C. The TCP packet is then transmitted, and the MAC address of C is included in the Ethernet frame. When the packet is transmitted

To the hub, the hub broadcasts the entire packet directly to the full port (the current on one end of the network is equal to the current on the other side of the output), and C then receives the packet sent by a.

Because the hub broadcasts the data to the full port (the current on one end of the network is equal to the current at the end of the output), Computer B can also receive a packet sent to C. This is the purpose of the B sniffer.

As a result, Hub-based's network is basically not safe to say. Sniffing (generally referred to as sniffing the packets that flow through the network) is easy in this network.

Switched networks (switched Lan)

Instead of the hub, the switch is designed to address several of the hub's security issues, which can be solved by sniffing (generally referred to as a sniffer that can eavesdrop on packets that flow through the network). switch is not the number

According to the packet, the port (the current on one end of the network is equal to the current that is also the output of the end) broadcast. It will use its own ARP cache to determine whether the packet is transmitted to that port (a pair of terminals in the network has an input current equal to the current at one end). So. On a switched network. Assuming the above

The hub in the sample is swapped for Switch,b and will not receive a packet sent to C. Even if you set the NIC to promiscuous mode. It is also not possible to sniff (typically a sniffer can eavesdrop on packets flowing through the network).

ARP Spoofing (ARP spoofing)

The ARP protocol does not receive ARP replies more than just sending an ARP request. When the computer receives an ARP reply packet, the local ARP cache is

is updated to store the IP and MAC addresses in the answer in the ARP cache. So. In the above if the network, B sends a self-forged ARP to a should

For. The data in this answer is the sender IP address is 192.168.10.3 (the IP address of c). MAC address is DD-DD-DD-DD-DD-DD (C's Mac location

The address was supposed to be cc-cc-cc-cc-cc-cc, and it was forged here. When a receives a fake ARP response of B, the local ARP cache is updated (A does not

Known to have been forged).

Now the ARP cache for a machine is updated:

C:\>arp-a

interface:192.168.10.1 on Interface 0x1000003

Internet Address Physical Address Type

192.168.10.3 DD-DD-DD-DD-DD-DD Dynamic

This is not a trivial matter.

The network flow of the LAN is not based on the IP address. Instead, it is transmitted according to the MAC address. Now the 192.168.10.3

The MAC address is changed to a MAC address that does not exist on a.

Now a starts to ping 192.168.10.3, the MAC address that the network card submits is

Dd-dd-dd-dd-dd-dd. What is the result? The network is out of line. A there's no way to ping c!!.

This is a simple arp con.

This article originates from China's Network protocol analysis |www.cnpaf.net original link: http://www.cnpaf.net/Class/arp/201111/26040.html

How to sniff the Exchange network and the principles of ARP con-arp interpretation