Lie to people, that is, the so-called "social engineering", and also include policies (the offending hacker Kevin Mitnick has been specifically implemented ), for example, assume you are an employee of a company so that you can exchange company secrets with real employees. To cheat computers, there are many different technologies. A common one is ARP Cache Poisoning. This is the core of this article. ARP poisoning can cause great network damage to hackers in the LAN. Since it is often "unrecoverable", every network administrator should understand how such an attack is going on.
ARP Review
In "Computer Network basics: What are NIC, MAC, and ARP ?" (See the translator's article) explains how the Address Resolution Protocol (ARP) associates the MAC Address of a network device with its IP Address, in this way, devices in the same LAN can know each other's existence. ARP is basically a kind of network name.
ARP, a simple protocol, only contains four types of messages:
1. ARP request. Computer A asks the whole LAN, "Who has this IP address ?" ("Who's the IP address ?", The English is the ASCII message in the original message)
2. ARP response. Computer B tells computer A that "I have that IP. My MAC address is [whatever it is]." (My IP address is that. My MAC address is [XX: XX])
4. Reverse ARP request. Similar to ARP requests, but computer A asks, "Who has this MAC address ?" (Whose MAC address is this ?)
4. Reverse ARP response. Computer B tells computer A that "I have that MAC. My IP address is [whatever it is]" (My MAC address is that. My IP address is XXX. XXX)
All network devices have an ARP ing table, that is, a small segment in the memory stores the IP address and MAC address pairs that have been matched by the device. The ARP ing table ensures that the device does not repeatedly send ARP requests to devices it has already communicated.
Here is an example of a conventional ARP communication. Jessica, a receptionist, told Word (the Microsoft document editor we use, the Translator's note) to print the latest Corporate address book. This is her first print task today. Her computer (IP Address: 192.168.0.16) wants to send this print task to the Office's HP LaserJet Printer (IP Address: 192.168.0.45 ). So the computer of Jessica broadcasts an ARP request to ask, "Who has the IP address, 192.168.0.45 ?" (Whose IP address is 192.168.0.45 ?), 1.
498) this. width = 498; "border = 0>
All devices in the LAN will ignore this ARP request, except for the HP LaserJet Printer. The printer finds that its IP address is the IP address in the request, so it sends an ARP response: "Hey, my IP address is 192.168.0.45. this is my MAC address: 00: 90: 7F: 12: DE: 7F ", 2.
498) this. width = 498; "border = 0>
Now the computer of Jessica knows the MAC address of this printer. It can now send this print task to the correct device (printer, Translator note), and in its ARP ing table, the printer's MAC address 00: 90: 7F: 12: DE: 7F is associated with its IP address 192.168.0.45
Hey ARP, do you know which device lied to you is not in your dictionary?
The network designer may design the ARP conversation process so easily out of efficient consideration. Unfortunately, this simplicity also brings huge security risks. Do you know why I didn't mention any form of authentication in my brief description of ARP? The answer is that ARP does not exist at all.
ARP believes that both sides of the communication are safe and trustworthy, which is actually a good scam. When a device in a network sends a broadcast ARP request, it simply believes that when an ARP response is received, this response is really from the correct device (because only the device corresponding to the IP address sends the corresponding message according to the Protocol ). ARP does not provide any method to authenticate the response device, as it said in its packets. In fact, many operating systems still accept ARP responses from other devices even though no ARP request is sent.
Well, imagine you are a malicious hacker. You just learned that the ARP Protocol does not have any method to authenticate the ARP response. You already know that many devices still accept responses without sending any requests. Well, why can't I create a perfect, valid, but malicious ARP response packet containing any IP address or MAC address I have chosen? Because the victim's computer will blindly accept the ARP response and add it to its ARP ing table, the victim's computer will be easily deceived to associate any IP address I selected with any MAC address. Furthermore, I can broadcast my fake ARP responses to the entire network of the victim and spoof all the computers in the network. Wow, haha!
Return to reality. Now you may know why this common technique is called ARP cache poisoning (or ARP poisoning): attackers cheat the devices on your LAN, mislead or "poison" the location where it knows other devices. This type of terrorist and simple attack brings great harm to the network by attackers, which will be described later.
All your ARP packets are ours!
This allows attackers to associate any IP address with a MAC address to perform many attacks, including DoS and Denial of Service attacks and Man-in-the-Middle (Man in the Middle) attacks) and MAC Flooding ).
Denial of Service
A hacker can only perform simple operations to bind an important IP address to an incorrect MAC address. For example, a hacker can send an ARP response packet (to your computer) to route the router of your network (also known as the network administrator) the IP address is bound to a non-existent MAC address. One computer knows where the default gateway is, but in fact all its data packets, the destination address is not in the network segment (because the nonexistent MAC is not in the network segment of the local area network ), they finally disappear in the endless bit stream (that is, the signal disappears because of the packet's lifecycle ). In this case, hackers can prevent you from connecting to the Internet.
Man-in-the-middle attack
Hackers use ARP cache poisoning to intercept network information between two devices in your LAN. For example, we assume that hackers want to intercept communication information between your computer, 192.168.0.12, and your network router (that is, the gateway, the Translator's note) and 192.168.0.1. The hacker first sends a malicious ARP "response" (because there was no request before) to your router and binds the MAC address of his computer to 192.168.0.12 (3 ).
498) this. width = 498; "border = 0>
Now your router thinks that the hacker's computer is yours.
Then, the hacker sends a malicious ARP response to your computer and binds the MAC address to 192.168.0.1. (4 ).
498) this. width = 498; "border = 0>
Now your machine thinks that the hacker's computer is your router.
Finally, hackers enable a system called IP forwarding. This feature allows hackers to forward all network information from your computer to the vro (5 ).
498) this. width = 498; "border = 0>
Now, as long as you try to access the Internet, your computer will send network information to the hacker's machine and then the hacker will forward it to the router. Because the hacker still forwards your information to the network router, you will not notice that he has intercepted all your network information, you may have also eavesdropped on your plaintext password or hijacked your once-secure network session.
MAC flood
MAC flood is an ARP cache poisoning technology designed for network switches. These switches often enter the "Hub" mode when traffic is overloaded. In "Hub" mode, a switch is too busy to perform Port Security Detection. Instead, it only broadcasts all network data to each computer in the network. Using a large number of counterfeit ARP response packets to flood the ARP ing table of a switch, hackers can overload Switches of most manufacturers. Then, when the switch enters the "Hub" mode, you can send malicious packets to sniff your LAN.
Scared? Okay, calm down now!
This is terrible. ARP cache poisoning can use some insignificant means to cause great harm to the network. However, when you enter the high-security status, you notice an important mitigation factor: Only attackers in the LAN can exploit ARP defects (because ARP is only available on the LAN (subnet) ). If a hacker finds an interface in your network and inserts it to connect to your LAN, or controls a machine in the LAN to conduct ARP cache poisoning attacks. ARP defects cannot be remotely exploited.
That is to say, hackers will be