Arp spoofing Analysis

I. arp Communication Protocol processBecause the lan network flow is not carried out by IP address, but by MAC address, the computer recognizes a Machine Based on mac. To send A packet to host B in region A, the local ARP cache table is queried. After the MAC address corresponding to IP address B is found, the data is transmitted. If not, A broadcasts an ARP request packet (carrying the IP address of host B). All hosts on the Internet, including B, receive the ARP request, but only host B recognizes its own IP address, therefore, an ARP response packet is sent back to host. It contains the MAC address of B. After receiving the response from B, A updates the local ARP cache. Then use the MAC address to send data (the MAC address is appended to the NIC ).II. A complete arp SpoofingThere are two types of Arp spoofing: one is two-way spoofing and the other is one-way spoofing:1. One-way SpoofingA address: IP: 192.168.10.1 MAC: AA-AA-AA-AA-AA-AAB address: IP: 192.168.10.2 MAC: BB-BB-BB-BB-BB-BBC address: IP: 192.168.10.3 MAC: CC-CC-CC-CC-CC-CC A and C communication. but at this time, B sends A self-built ARP response to A, and the data in the response is that the sender's IP address is 192.168.10.3 (C's IP address ), the MAC address is a BB-BB-BB-BB-BB-BB (the MAC address of C should have been a CC-CC-CC-CC-CC-CC, Which is forged here ). When A receives B's forged ARP response, it updates the local ARP cache (A is cheated), and B is disguised as C. At the same time, B also sends an ARP response to C, in the response packet sender IP address 4 192.168.10.1 (A's IP address), MAC address is BB-BB-BB-BB-BB-BB (A's MAC address should have been A AA-AA-AA-AA-AA-AA ), when C receives A forged ARP response from B, it also updates the local ARP cache (C is also spoofed), and B is disguised as. In this way, both host A and host C are spoofed by host B, and the data of communication between host A and host C has passed through B. Host B knows exactly what they are talking about :). This is a typical ARP spoofing process. Intercept communication between A and c. Implementation principle: B sends an Arp packet to A. The address of c is 00: 00: 00: 00: 00: 00: 00: 00: 00 (an incorrect address), then the packet sent by A to c will be sent to 00, and this address is incorrect, so the communication is interrupted, but pay attention to it, here is only A --> c is interrupted, and c --> A is not interrupted, so this is called one-way spoofing. Intercept the communication between c and A. The implementation principle is the same as the first one. If the communication is sent with the first one, the communication between A and c is completely interrupted, that is, A <-- × --> c. intercept communication between A and c. Implementation principle: B sends an Arp packet to A. The address of the content of c is AA: BB: CC: DD: EE: FF (B's own address), that is, B said to A: I am c, so A sent data to c to B, after B obtains the data, he can do whatever he wants and discard it directly. Then, the communication is interrupted and can be forwarded to c again. Then, a loop is formed, and B is a man-in-the-middle, monitors communication between A and c. now you can use any packet capture tool such as CAIN for local sniffing.2. arp two-way spoofing PrincipleA needs to communicate with C normally, and B tells A that I am only C. B told C that I am A. In this case, all arp cache tables of A and C are modified. In the future communication process, A sends data to B, B sends data to C, C sends data to B, and B sends data to. The attacked host sends an ARP response packet to the attacked host and gateway. They modify the ARP cache table to the MAC address of the attacked host, in this way, data between them is intercepted by the attacked host.Iii. Differences between two-way spoofing and one-way SpoofingOne-way spoofing: refers to the spoofing gateway, which has three machines, A (GATEWAY) B (server) C (server ). A needs to communicate with C normally. B told A that I am C. Then A gave the data to C. Then A gave B the data originally given to C, and A modified the local cache table, however, the communication between C and A is normal. The communication between A and C is abnormal. Two-way spoofing: it refers to spoofing the gateway and the attacked two machines. A (GATEWAY) B (server) C (server), and A must communicate with C normally. B said to A that I am C and B said to C that I am A. In this case, all the arp cache tables of A and C have been modified, all the data sent is sent to B.4. Find the arp spoofing host1. we can use Arpkiller's "Sniffer killer" to scan the entire lan ip segment, and then find the computer in "hybrid" mode to find the other party. after the check, if the corresponding IP address is a green hat icon, it indicates that the IP address is in normal mode. If it is a red hat, it indicates that the NIC is in mixed mode. It is our goal. This guy is using cyber law enforcement officers to make trouble. 2. Run the tracert command on any affected host and run the following command in the doscommand window: tracert61.135.179.148. If the default gateway is 10.8.6.1 and the first hop is 10.8.6.186 when an Internet address is tracked, 10.8.6.186 is the virus source. Principle: the infected host plays the "intermediary" role between the affected host and the gateway. All packets that should have arrived at the gateway are sent to the infected host due to the incorrect MAC address. In this case, the infected host goes beyond the proxy and serves as the default gateway.V. Protection Measures1. The most common method is to bind the local IP address to the route address (Note: bind the mac address). 2. Shadow arpfirewall6. Hackers often break through the Arp firewall sniffing technology. The process is as follows:The principle of breaking the Arp firewall is to constantly send packets to the Gateway (dozens of times per second) and tell the gateway that I am a real machine to avoid other machines from impersonating the local machine. (For example, if the target machine is A and you are B, you tell the gateway that I am A.) because of the high frequency of sending, in A short period of time, the gateway considers you a victim machine. So, the normal data packets of the target machine are sent.