APP protocol and ARP attack

 

What is ARP? ARP stands for AddressResolutionProtocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In an Ethernet network, to directly communicate with another host, you must know the MAC address of the target host. The target MAC address is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.

 

Each computer has an ARP cache table when the TCP/IP protocol is installed. The IP addresses in the table correspond to the MAC addresses one by one. If the IP address does not match the MAC address, you have to do something. ARP is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network. This is a common LAN security issue that is currently difficult to solve. The following is an example of how ARP works. We use host A (192.168.1.11) to send data to host B (192.168.1.12) as an example. When sending data, host A searches for the target IP address in its ARP cache table. If you find the target MAC address, you can directly write the target MAC address into the frame and send it. If the corresponding IP address is not found in the ARP cache table, host A sends A broadcast on the network. The target MAC address is "FF. FF. FF. FF. FF. FF ", which means to send such a question to all hosts in the same network segment:" What is the MAC address of 192.168.1.12?" Other hosts on the network do not respond to ARP requests. Host B responds to host A only when it receives the frame: "the MAC address of 192.168.1.12 is bb-bb ". In this way, host A knows the MAC address of host B and can send information to host B. At the same time, it also updates its ARP cache table. The next time it sends a message to host B, it can directly find it from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up query. As can be seen from the above, the foundation of ARP is to trust all people in the LAN, so it is easy to implement ARP spoofing on Ethernet. The target A is spoofed, and A's Ping host C is sent to the DD-DD-DD-DD-DD-DD address. If the MAC address of C is spoofed into A DD-DD-DD-DD-DD-DD, the packets sent by A to C become sent to D. Isn't it because D can receive the packet sent by A? The sniffing succeeds.

 

A is not aware of this change at all, but the following things make A suspect. Because A and C cannot be connected. D. The data packet sent from A to C is not transferred to C.

 

"Maninthemiddle" and ARP redirection. Enable the IP forwarding function of D. Forward the data packets sent by A to C, just like A router. However, if D sends ICMP redirection, the entire plan is interrupted.

 

D. directly modify and forward the entire package, capture all the packets sent by A to C, and then forward them to C, the packets received by C are completely considered sent from. However, the packets sent by C are directly transmitted to A, if the ARP spoofing to C is performed again. Now D has completely become the intermediate bridge between A and C, and you can understand the communication between A and C. ARP fault

 

When a host in the LAN runs the ARP spoofing Trojan program, it deceives all hosts and routers in the LAN so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once.

 

After you switch to the virus host to access the Internet, if you have logged on to the legendary server, the virus host will often forge broken line images, so you have to log on to the legendary server again, in this way, the virus host can steal the number.

 

When a trojan program with ARP spoofing occurs, a large number of packets are sent, resulting in LAN communication congestion and restrictions on its processing capabilities. Users will feel that the Internet access speed is getting slower and slower. When the ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the vro. During the switching process, the user will disconnect the line again, so that the user's access speed will become slower and slower.

 

Advanced users quickly discover ARP spoofing Trojans

 

The following information is displayed in the "system history" of the vro (this prompt is only available in vro Software Versions later than 440 ):

 

MACChged10.128.103.124

 

MACOld00: 01: 6c: 36: d1: 7f

 

MACNew00: 05: 5d: 60: c7: 18

 

This message indicates that the user's MAC address has changed. When the ARP spoofing Trojan starts running, update the MAC addresses of all hosts in the LAN to the MAC addresses of the virus hosts (that is, the MACNew addresses of all information are consistent with the MAC addresses of the virus hosts ), in the "user statistics" of the vro, the MAC address information of all users is the same. If a large number of MACOld addresses are consistent in the "system history" of the router, it indicates that ARP spoofing has occurred in the LAN (when the ARP spoofing Trojan program stops running, the host restores its real MAC address on the vro ).

 

Search for virus hosts in the LAN

 

We have known the MAC address of the host that uses ARP to spoof Trojans, so we can use the NBTSCAN (: [url] http://www.utt.com.cn/upload/nbtscan.rar#/url]) tool to quickly find it.

 

NBTSCAN can obtain the real IP address and MAC address of the PC. If there is a "legend Trojan", you can find the IP address and MAC address of the PC where the trojan is installed.

 

Command: nbtscan-r192.168.1.0/24 (search for the entire 192.168.1.0/24 CIDR block, that is

 

192.168.16.1-192.168.1.254); or "nbtscan192.168.1.25-137", search for the 192.168.1.25-137 CIDR block, that is, 192.168.1.25-192.168.1.20. The first column of the output result is the IP address, and the last column is the MAC address.

 

Example of NBTSCAN:

 

Suppose you want to find a virus host with the MAC address "000d870d585f.

 

1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to c.

 

2) Start-run-open in windows, Enter cmd (enter "command" in windows98), and enter C:

 

Btscan-r192.168.1.1/24 (here you need to enter according to the user's actual network segment), press Enter.

 

C: DocumentsandSettingsALAN> C:

 

Btscan-r192.168.1.1/24

 

Warning:-roptionnotsupportedunderWindows. Runningwithoutit.

 

DoingNBTnamescanforaddressesfrom192.168.1.1/24

 

IPaddressNetBIOSNameServerUserMACaddress

 

192.168.1.0Sendtofailed: Cannotassignrequestedaddress

 

192.168.1.50SERVER00-e0-4c-4d-96-c6

 

192.168.1.111LLFADMINISTRATOR00-22-55-66-77-88

 

192.168.1.121UTT-HIPER00-0d-87-26-7d-78

 

192.168.1.175JC00-07-95-e0-7c-d7

 

192.168.1.223test123test12300-0d-87-0d-58-5f

 

3) by querying the corresponding table of the IP--MAC, find the IP address of the virus host "000d870d585f" is "192.168.1.223 ".

 

Solution

 

1. Do not establish your network security trust relationship on the basis of IP or MAC (rarp also has the problem of spoofing). The ideal relationship should be on the basis of IP + MAC.

 

2. Set a static MAC --> IP address table. Do not refresh the conversion table you set on the host.

 

3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.

 

4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.

 

5. Use "proxy" to transmit the proxy IP address.

 

6. Use hardware to shield hosts. Set your route so that the IP address can reach a valid path. (Configure route ARP entries statically). Note that using the exchange hub and bridge cannot prevent ARP spoofing.

 

7. The Administrator periodically obtains an rarp request from the response IP packet and checks the authenticity of the ARP response.

 

8. The Administrator regularly polls and checks the ARP cache on the host.

 

9. Use a firewall to connect to the monitoring network. Note that when SNMP is used, ARP spoofing may cause the loss of trap packets.

 

Solutions for advanced users

 

We recommend that you use bidirectional binding to prevent ARP spoofing.

 

1. the IP address and MAC address of the vro bound to the PC:

 

1) First, obtain the MAC address of the vro Intranet (for example, the MAC address of the gateway address 192.168.16.254 is 0022aa0022aa LAN port MAC address> ).

 

2) Compile a batch file rarp. bat with the following content:

 

@ Echooff

 

Arp-d

 

Arp-s192.168.1.25400-22-aa-00-22-aa

 

Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address.