ARP spoofing and man-in-the-middle attacks

Objective:

Previous Wpa/wap2wifi password cracking notes on How to detect nearby open APs and hack into, then access to other people according to the local area network what can we do? In other words, if someone gets into our internal network, what's the impact? This paper briefly introduces the principle of ARP and MITM, and hijack the traffic of target host in the actual environment. Exposes common problems in public networks to see what privacy breaches and security risks are faced by clients on the LAN.

the principle of ARP and MITMwhat is ARP

ARP is all referred to as address Resolution Protocol, which addresses the resolution protocol. is a TCP/IP protocol that obtains a physical address based on an IP address. When the host sends the message, the ARP request containing the destination IP address is broadcast to all hosts on the network, and the return message is received to determine the physical address of the target, the IP address and physical address are stored in the native ARP cache after the return message is received, and a time is reserved for the next request, and the ARP cache is queried to conserve resources. The Address Resolution Protocol is based on the trust of each host in the network, the host on the network can send the ARP reply message autonomously, and the other host will not detect the authenticity of the message when it receives the reply packet, which will be credited to the native ARP cache, thus the attacker can send a pseudo-ARP reply message to a host. Causing the information to be sent cannot reach the intended host or reach the wrong host, which constitutes an ARP spoofing. The ARP command can be used to query the corresponding relationship between the IP address and MAC address in the native ARP cache, add or remove static correspondence, and so on.

For example, under the Linux command line

$sudo arp-a

address                   hwtype  hwaddress           Flags mask             Iface
192.168.1.1             ether    0a-11-22-33-44-01   c                      wlan0
192.168.1.2             ether    0a-11-22-33-44-02   c                       Wlan0

You can see the intranet address and MAC address of other clients in the LAN.

Work ProcessNow assume that host A's IP address is 192.168.1.1,mac address is 0a-11-22-33-44-01, Host B's IP address is 192.168.1.2,mac address is 0a-11-22-33-44-02, when host A to communicate with Host B, the address Resolution Protocol can be host B IP Address (192.168.1.2) resolves to Host B's MAC address, the following is the workflow:

1th Step: According to the contents of the routing table on host A, IP determines the forwarding IP address used to access Host B is 192.168.1.2. The A host then checks Host B's matching MAC address in its own local ARP cache. 2nd step: If host A does not find a mapping in the ARP cache, it will ask the 192.168.1.2 's hardware address to broadcast the ARP request frame to all hosts on the local network. The IP address and MAC address of source host A are included in the ARP request. Each host on the local network receives an ARP request and checks to see if it matches its own IP address. If the host discovers that the requested IP address does not match its own IP address, it discards the ARP request. 3rd Step: Host B determines that the IP address in the ARP request matches its own IP address, then adds the IP address and MAC address mappings of host A to the local ARP cache. 4th Step: Host B sends an ARP reply message containing its MAC address directly back to host a. 5th step: When host a receives an ARP reply message from Host B, the ARP cache is updated with the IP and MAC address mappings of Host B. The native cache has a lifetime, and after the lifetime is over, the above procedure is repeated again. Once the MAC address of Host B is determined, host a can send IP traffic to Host B.

work element: ARP cache 　　

The ARP cache is a buffer for storing IP addresses and MAC addresses, which is essentially a corresponding table of IP address->mac addresses, and each entry in the table records the IP addresses and corresponding MAC addresses of the other hosts on the network. Each Ethernet or Token Ring network adapter has its own separate table. When the address Resolution Protocol is queried for the MAC address of a known IP address node, it is first viewed in the ARP cache and, if present, directly returns the corresponding MAC address and, if not present, sends an ARP request to the LAN. To minimize the amount of broadcast, ARP maintains a cache of IP addresses to MAC address mappings for future use. The ARP cache can contain both dynamic and static items. Dynamic items are automatically added and deleted over time. The potential life cycle for each dynamic ARP cache entry is 10 minutes. Items that are added to the cache have a timestamp, and if an item is not reused within 2 minutes of being added, the item expires and is removed from the ARP cache, and if an item is already in use, it receives a 2-minute life cycle, and if an item is always in use, it receives an additional 2-minute life cycle. Up to 10 minutes for the longest life cycle. Static items remain in the cache until the computer is restarted.

ARP spoofing vs. MITM

The MITM, all called Man in the middle, is the middleman. The Address Resolution Protocol is based on the trust of each host in the network, and its birth makes the network run more efficiently, but it also has its own defects. The ARP address translation table is dynamically updated by the cache memory in the computer, and the update of the cache is limited by the update period, saving only the mapping of the most recently used address, which gives the attacker an opportunity to modify the address translation table before the Cache Memory Update table entry. Implement the attack. The ARP request is sent in the form of broadcast, the host on the network can send the ARP reply message autonomously, and when the other host receives the reply message, it will not detect the authenticity of the message and record it in the local MAC address translation table, so that the attacker can send a pseudo-ARP reply message to the target host. thereby tampering with the local MAC address table. ARP spoofing can cause the target computer to fail communication with the gateway, which will lead to traffic redirection, and all data will pass through the attacker's machine. When the attacker forwards the data between the target and the gateway, it can be used as an "intermediary" to achieve the target of monitoring without affecting the goal of normal Internet access.

Specific attack implementations

Specific man-in-the-middle attacks can be broadly divided into the following steps:

1. ARP spoofing the target host, claiming to be the gateway.

2. Forward the destination NAT data to the gateway, maintaining the target's out-of-office data.

3. ARP spoofing the gateway, claiming to be the target host.

4. Forward the NAT data of the gateway to the target host to maintain the target's received data.

5. Monitor hijacking or modify the target's entry and egress data to achieve the attack.

1, 3 are ARP spoofing, 2,4 are forwarded, the following will be said separately.

ARP spoofing

ARP spoofing, also known as ARP poisoning (ARP poisoning), is implemented in many ways, but its rationale is to redirect packets from one host (or all hosts) to another by constantly sending ARP replies to the target of the attack.

Here is an example of the Arpspoof command for the Dsniff toolset:

# Arpspoof [-I interface] [-c Own|host|both] [-t target] [-R] Host

which

-i specifies the interface to use.

-c Specifies the MAC address that is used when the ARP configuration is restored, using the original Mac by default. (That is, the poison is canceled by default when the Arpspoof command is stopped)

-t specifies the host to be poisoned, and defaults to all hosts under the LAN if not specified.

-R bidirectional poisoning (host and target) to capture data in both directions. (only valid if-T is specified at the same time)

Host is the one you want to disguise as, usually a local gateway. All packets from Target to host are redirected to this machine.

Data Flow,

After poisoning the target host's ARP cache table, its outgoing traffic through the gateway is sent to the attacker's host. However, due to the destination address error, the target host external requests will not reach, that is, the Internet is inaccessible. In order to maintain a normal Internet connection, we need to forward the target data to the real gateway.

First turn on port forwarding, allowing the native to forward data like a router:

1 >/proc/sys/net/ipv4/ip_forward

At this point, the data received by natively contains the source and destination addresses (the extranet addresses), which we need to forward to the gateway. Here is the function of (NAT) network address translation, refer to my previous chapter on NAT communication principle and implementation (C + +):

192.168.1. 0/24-j SNAT--to-source 192.168.1.110
The function of this command is to modify the forwarding rules of this machine, all the packets from the source address of 192.168.1.XXX are modified to the native address 192.168.1.110
which
-t Specifies the table to manipulate, here is the NAT
-A is--append, which means adding a rule. Nat has three built-in rules, namely
Prerouting, changing the address of a packet as it enters
Postrouting, change the address of the packet when it is going out
OUTPUT, changing the address of a locally generated packet before routing
-P indicates the protocol to be checked by the packet
-s specifies the source address. The address format can be a network name, host name, IP address, or network address in address/mask format. You can specify multiple,-S before Plus! Represents a fetch complement set
-J Specifies the target of the rule, that is, if the packet conforms to the rule, Snat indicates that the source address of the packet is modified, and the remaining packets for this link are no longer checked
--TO-SOURCE Specifies the new source address of the forwarded packet under the SNAT option, which is set to 192.168.1.110, which is the attacker's address

The detailed use of iptables can be viewed by man iptables. The above command describes the forwarding rules for out-of-office data, so the external data is forwarded to the attacking host as well:

192.168.1192.168.1. 114
Before the native forwarding, the packet destination address of 192.168.1.110 is modified to 192.168.1.114 (the attacked host), and then forwarded out.

Other tools

In order to illustrate the principle, ARP poisoning and data forwarding is done separately, in fact, using the existing tools can be very simple to perform the above work, for example, with Ettercap:

# ettercap-i Wlan0-tq-m arp:remote/target//host/

A command to complete the ARP poisoning and forwarding functions. Where-M indicates the specified MITM attack.

Postscript

Once the middleman has successfully established an attack and hijacked the target's Internet traffic, the next step is to do whatever it wants. To monitor the internet behavior of the target, just like 24 hours behind you to watch you surf the internet, or hijack the target of the cookie to use the target account login such as Weibo, Baidu, watercress and other sites, browsing their privacy data, post-deletion paste and other operations; Cause the target to download malicious programs or execute malicious scripts, thereby threatening their computer security. Of course, there are many ways to protect against this attack, the simplest of which is to bind the MAC address and warn when the gateway MAC address changes, thus preventing ARP poisoning attacks. There is also the best not to browse the public WiFi under the important privacy of the site, in case of malicious people in the local area network, it is really "walking in the sun."

ARP spoofing and man-in-the-middle attacks