Arp spoofing principle and detection method in Android Environment

Arp spoofing principle and detection method in Android Environment

Test Environment Description

Gateway: IP: 172.0000150.1 mac: 24050FCE53 target (mobile phone): IP: 172.0000150.20 mac: 000822D806D2 attack host (VM): IP: 172.0000150.2 mac: accept Access Point (360 free wifi): BSSID: 24050FCE53 (mac of the gateway), SSID: private (wifi name) attack scenario: the attack host uses Cain to perform two-way Arp spoofing on the gateway and the target.

Arp working principle and spoofing Principle

The network flow of a LAN is transmitted Based on the MAC address instead of the IP address.

When host A needs to communicate with host B, it is assumed that A and B are just starting, or the ARP cache table is empty. Since we talk about communication, generally they should encapsulate and package the data. We will not talk about other layers, but only the data link layer and network layer. On the side, as A data source, when sending data, the data is encapsulated at the network layer. You need to add an IP header, which contains the source and target IP address fields, both the source IP address and target IP address know that the package can be encapsulated smoothly. However, when the encapsulated package is handed over to the data link layer for further encapsulation, the problem occurs because at the data link layer, the source MAC and target MAC fields in the header of the frame need to be encapsulated into a frame. The source MAC is its own, of course, but what about the target MAC? No! That is, there is no actual address. Can the encapsulation continue? Is Communication terminated?

In fact, before encapsulation, host A will view its ARP cache table (you can manually view start-run-cmd-arp-). If the cache table contains MAC and IP information of the target host (host B), the frame can be smoothly formed. If not, it will go through an ARP parsing process. It sends a broadcast request (a broadcast request that requests the MAC address of the other party .) You can see it using sniffer.

There is A problem in the ARP request data: "Hello, I am 192.168.12.1, and my MAC address is. 192.168.12.2, what is your MAC address ?" At this time, all hosts in the CIDR block can receive the broadcast. Only hosts with the IP address 192.168.12.2 will respond (response ). At the same time, the receiving host records the ing between the IP address and the MAC address of A and puts it in the ARP cache. Through this process, both A and B have the corresponding relationship between the IP address of the other party and the MAC address. Then, the encapsulation of Layer 2 and Layer 3 can be completed smoothly.

As you can imagine, if A receives A response from B after A broadcast, and A third party C listens to the A-B conversation in some way, and intercepted the arp response that B responded to. He can convert the MAC address field in the response to another MAC address, and then deliver the modified frame to. At this time, does A get two responses? Who will it take? It will come later. By intercepting modifications, A caches the modified MAC address. A encapsulates data frames with an incorrect MAC, and the data is sent to the host that can be controlled by C.

Displays the arp table of the target after arp spoofing occurs:

Normal arp table

Route table

In a computer network, a route table or RIB or routing Information Base stores the path pointing to a specific network address (in some cases, also records the route metric values with paths ). The routing table contains the topology information about the network. Simply put, the route table works completely at the network layer. Based on the route table information, the host sends the ip address data to be sent from the specified Nic.

Displays the route table of the target:

 

Note:

Destination, Gateway, and Mask all adopt reverse hexadecimal notation, such as 019614AC, which actually represents AC: 14: 96: 01 and is converted to decimal: 172.20.150.1.

Destination: the Destination CIDR Block of the route. It performs an operation with the Mask to obtain the CIDR block. The calculation result is 00000000, indicating all CIDR blocks. The first record indicates that the gateway of all data segments is 172.20.150.1, issued by the wlan0 Nic.

BSSID and SSID of Wifi:

SSID: ServiceSet Identifier (Service Set Identifier). SSID technology divides a wireless LAN into several sub-networks that require different authentication. Each sub-network requires independent authentication, only authenticated users can access the corresponding sub-network to prevent unauthorized users from accessing the network. The SSID is the name of the WIFI.

BSSID: Basic Service SetIdentifier (Basic Service unit identifier). BSSID is the Mac address of the Wi-Fi access point.

Displays the BSSID and SSID of the target:

The figure shows that the BSSID is 24: 05: 0f: 0f: ce: 53, and the SSID is private.

Principles of Arp Spoofing Detection in Android

When a user uses a mobile phone to connect to wifi, the user usually searches for the wifi name, enters the password, and then connects to the Internet. In rare cases, the user needs to configure the gateway himself, and the traffic is only exchanged with the gateway. Therefore, the user's default gateway is a Wi-Fi access point, so the BSSID of wifi and the mac of the user's gateway will be the same, based on the following arp detection principle:

1. Obtain the BSSID, that is, the Mac (mac1) of the Gateway. 2. Obtain the gateway IP address corresponding to the entire network segment routing through the route table. query the Mac address (mac2) of the gateway IP address through the arp table)

If mac1 and mac2 are the same, there is no arp attack. If they are different (mac2 is introduced by arp spoofing), the arp attack is happening.
 

Derivative: if the user configures the gateway, that is, the IP address of the route record has no relationship with the BSSID. The gateway ip address is not modified according to arp, you can constantly monitor whether the mac address corresponding to the gateway IP address in the arp cache table is changing. The change indicates that arp is happening or arp attacks are over, for example, if the IP address of the gateway and the Mac address are determined after a long period of statistics, the arp attack is detected when the IP address in the arp table changes.

Others

Based on the principle of reverse wifi protection, this article shows that Wi-Fi protection can accurately detect arp. some technical details of Wi-Fi protection are as follows:

1. Listen for route table and arp changes cyclically within 5s, and detect arp spoofing through the above principles
2. After Arp occurs, the following prompt is displayed:

A) Shake B) ring c) disconnect the current connection wifid) Status Bar prompt e) Enable Activity to display attack

Apk:

 

Apk download: http://www.bkjia.com/soft/201311/43625.html