No ARP spoofing sniffing Technology

Text/figure Liu Zhisheng's ARP Spoofing Attack and Defense Technology are both mature. previous articles in the magazine also described in more detail, so I will not go into detail here. This article focuses on how to do not use ARP spoofing for sniffing and session hijacking. The actual attack method is MAC spoofing.PrinciplesBefore starting, let's take a look at the forwarding process of the vswitch. When a port of a vswitch receives a data frame, first check that the destination MAC address of the data frame is on the port corresponding to the MAC address table (CAM, if the destination port and source port are not the same port, the frame is forwarded from the destination port, and the correspondence between the source port and the source MAC address in the MAC address table is updated; if the destination port is the same as the source port, the frame is discarded. Assume that a four-Port switch is used in the following scenario, and the ports are respectively ports. a. Port. b. Port. C and Port. d, corresponding to host A, B, C, and D, where D is the gateway. When host A sends data to host B, host A encapsulates data frames according to OSI. In this process, the MAC address of host B is found based on the IP address, and the destination MAC address is filled in the data frame. Before sending, the MAC Control Circuit of the NIC will make a judgment first. If the target MAC is the same as the MAC of the NIC, it will not be sent. Otherwise, the NIC will send the data. Port. when A receives A data frame, the switch finds in the MAC address table that the MAC address of B (the MAC address of the data frame) is Port. b, and the data source Port number is Port. a, then the switch moves the data frame from the Port. B forwards the data frame, and host B receives the data frame. The entire process 1 is shown. Figure 1 This addressing process can also be summarized as IP-> MAC-> PORT. ARP spoofing deceives the relationship between IP and MAC, while MAC spoofing deceives the relationship between MAC and PORT. The earlier attack method was the MAC address of the flood switch. This would indeed enable the switch to work in broadcast mode to enable sniffing. However, this would cause heavy switch load, slow network, and packet loss, even paralyzed. This method is not used in this article.Practical drillsAssume that the working environment is the above four swith ports. The software uses the httphijack of cncert as an example to use the data of host A hijacking of host C. The following is the hijacking process (da is the target MAC, and sa is the source MAC ). 1) A sends data packets from any da = gateway. mac and sa = B. mac to the gateway. This indicates that port. a corresponds to B. mac. Within a period of time, the switch will send all data frames sent to B. mac to host. This time continues until host B sends a data packet, or before another da = gateway. mac, sa = B. mac data packet is generated. The entire process is shown in step 2. Figure 22) host A receives the data sent by the gateway to B. After the record or modification, it forwards the data to host B. before forwarding, it sends A request to host B. MAC broadcast, this package is normal, MAC information is da = FFFFFFFFFF, sa =. mac. This data frame indicates. mac port. a. At the same time, host B is triggered to respond to a response packet. The MAC information is da =. mac, sa = B. mac. The data frame indicates B. mac port. b. So far, the relationship has been restored, and host A successfully forwards the hijacked data to host B. The entire process is shown in step 3. Figure 33) route the hijacked data to B and complete the hijacking. This attack method has obvious characteristics and has the time segmentation feature. Therefore, the larger the traffic of the other party, the lower the hijacking frequency and the more stable the network. Moreover, the attack method is concealed based on its particularity and working nature, it can work in the arpfirewall and two-way binding environment. The attack methods described above mainly involve httphijack, which is used for HTTP session hijacking and ssclone for session replication in the exchange environment (Gmail, QQmail, Sohumail ......), Skiller is used for traffic control. In the actual environment, how should we defend against such attacks? Advanced switches can be bound with IP + MAC + Port to control automatic learning of CAM tables. As for the software, there is no effective tool to defend against such attacks.