ARP spoofing and man-in-the-middle attacks

ARP spoofing and man-in-the-middle attacks
Preface:

In the previous WPA/WAP2wifi password cracking note, we talked about how to detect nearby open APs and crack the access, so what can we do when we enter someone else's lan? In other words, what will happen if someone else enters our internal network? This article briefly introduces the principles of ARP and MITM, and hijack the traffic of the target host in the actual environment. Exposed the common problems in public networks, so as to see what kind of privacy leakage and security risks the clients in the LAN are facing.

What is ARP and MITM?

ARP is called Address Resolution Protocol, which is the Address Resolution Protocol. Is a TCP/IP protocol for obtaining physical addresses based on IP addresses. When the host sends information, it broadcasts ARP requests containing the target IP address to all hosts on the network and receives the returned messages to determine the physical address of the target; after receiving the returned message, the IP address and physical address are stored in the ARP cache of the machine and kept for a certain period of time. In the next request, the ARP cache is queried directly to save resources. The Address Resolution Protocol is based on the mutual trust of each host in the network. hosts on the network can independently send ARP response messages, when receiving the response packet, other hosts will not check the authenticity of the packet and log it into the local ARP cache. Therefore, attackers can send a pseudo ARP response packet to a host, sending messages cannot reach the expected host or reach the wrong host, which constitutes an ARP spoofing. ARP commands can be used to query the correspondence between IP addresses and MAC addresses in the local ARP cache, and to add or delete static mappings.

For example

$ Sudo arp-

Address HWtype HWaddress Flags Mask Iface
192.168.1.1 ether 0A-11-22-33-44-01 C wlan0
192.168.1.2 ether 0A-11-22-33-44-02 C wlan0

You can see the Intranet address and MAC address of other clients in the LAN.

Assume that the IP address of host A is 192.168.1.1, the MAC address is 0A-11-22-33-44-01, the IP address of host B is 192.168.1.2, And the MAC address is 0A-11-22-33-44-02. When host A needs to communicate with host B, the Address Resolution Protocol can resolve the IP address (192.168.1.2) of host B to the MAC address of host B. The workflow is as follows:

Step 2: Based on the route table content on host A, the IP address determines that the forwarding IP address used to access host B is 192.168.1.2. Host A then checks that host B matches the MAC address in its local ARP cache. Step 2: If host A does not find the ARP ing in the ARP cache, it will ask the hardware address of 192.168.1.2 to broadcast the ARP request frames to all hosts on the local network. The IP address and MAC address of source host A are included in ARP requests. Each host on the local network receives an ARP request and checks whether it matches its IP address. If the host finds that the requested IP address does not match its own IP address, it discards the ARP request. Step 1: Host B determines that the IP address in the ARP request matches its own IP address. Then, host A's IP address and MAC address ing are added to the local ARP cache. Step 2: Host B sends ARP reply messages containing its MAC address directly back to host. Step 2: When host A receives an ARP reply message from host B, it will update the ARP cache by ing the IP address and MAC address of host B. The local cache has a lifetime. After the lifetime ends, the above process will be repeated again. Once the MAC address of host B is determined, host A can send IP communication to host B.

Working element: ARP cache

ARP cache is a buffer used to store IP addresses and MAC addresses. In essence, it is a table corresponding to IP addresses> MAC addresses, each entry in the table records the IP addresses of other hosts on the network and the corresponding MAC addresses. Each Ethernet or ring network adapter has its own independent table. When the Address Resolution Protocol is asked about the MAC address of a known IP address node, it is first viewed in the ARP cache. If it exists, the corresponding MAC address is directly returned. If it does not exist, sends an ARP request to the LAN for query. To minimize the broadcast volume, ARP maintains the IP address-to-MAC address ing cache for future use. ARP cache can contain dynamic and static projects. Dynamic projects are automatically added and deleted over time. The potential life cycle of each dynamic ARP cache item is 10 minutes. A new project added to the cache has a timestamp. If a project is not used again within 2 minutes after it is added, the project expires and is deleted from the ARP cache. If a project is in use, A two-minute life cycle is received. If a project is always in use, a two-minute life cycle is received until the maximum life cycle of 10 minutes. Static items remain in the cache until the computer is restarted.

ARP spoofing and MITM

MITM is called Man In The Middle. The Address Resolution Protocol is based on the mutual trust of Various hosts in the network. Its birth makes the network more efficient, but it also has its own shortcomings. ARP Address Translation tables rely on the computer's high-speed buffer memory for dynamic updates, while high-speed buffer memory updates are limited by the update cycle, only the ing table items of the recently used addresses are saved. This allows attackers to modify the address conversion table before the table items are updated in the cache for attacks. ARP requests are sent in the form of broadcasts. hosts on the network can independently send ARP response messages, when other hosts receive the response packet, they do not check the authenticity of the packet and record it in the local MAC address conversion table. In this way, attackers can send a pseudo ARP response packet to the target host, to tamper with the local MAC address table. ARP spoofing can cause the target computer to fail to communicate with the gateway, and also lead to redirection of communication. All data will be transmitted through the attacker's machine. If an attacker forwards data between the target and the gateway, the attacker can act as a "man-in-the-middle" to monitor the target without affecting the target's normal internet access.

 

Specific Attack implementation

The specific man-in-the-middle attack can be divided into the following steps:

1. Perform ARP spoofing on the target host and claim to be a gateway.

2. forward the target NAT data to the gateway to maintain the target outbound data.

3. Perform ARP spoofing on the gateway and claim to be the target host.

4. Forward the NAT data of the gateway to the target host to maintain the received data.

5. Listen for hijacking or modify the inbound and outbound data of the target to achieve attacks.

Among them, 1 and 3 are ARP spoofing; 2 and 4 are forwarding, which will be discussed below.

ARP Spoofing

ARP spoofing is also called ARP poisoning oning. There are many implementation methods, but its principle is to continuously send ARP replies to the attack target, so as to achieve redirection from a host (or all hosts) data packets sent to another host.

Here, the arpspoof command of the dsniff toolset is used as an example:

# Arpspoof [-I interface] [-c own | host | both] [-t target] [-r] host

Where,

-I indicates the interface used.

-C specifies the MAC address t used when the arp configuration is restored. The original MAC address is used by default. (That is, after the arpspoof command is stopped, detoxification is canceled by default)

-T indicates the host to be poisoned. If not specified, all hosts under the LAN are used by default.

-R mutual poisoning (host and target) to capture data in two directions. (Valid only when-t is specified at the same time)

Host you want to disguise as a host, usually a local gateway. All data packets from target to host are redirected to the local machine.

Data Stream forwarding

After the ARP cache table of the target host is poisoned, the data streams that pass through the gateway will be sent to the attacker's host. However, due to an error in the target address, the external requests of the target host cannot be reached, that is, the target host cannot access the Internet. To maintain the target's normal internet access, we need to forward the data from the target to the real gateway when we receive the data.

First, enable port forwarding to allow the local machine to forward data like a router:

# echo 1 > /proc/sys/net/ipv4/ip_forward

In this case, the data received by the local machine includes the source address and Destination Address (Internet address). We need to forward the data to the gateway. Here, the (NAT) Network Address Translation function is implemented. For details about NAT, refer to my previous chapter on P2P communication principles and implementation (C ++ ):

# Iptables-t nat-a postrouting-p tcp-s 192.168.1.0/24-j SNAT -- to-source 192.168.1.110, change all data packets whose source address is 192.168.1.XXX from the local machine to 192.168.1.110, where-t specifies the table to be operated. Here nat-A stands for -- append, adds a rule. Nat has three built-in rules: PREROUTING. When a packet enters, it changes its address POSTROUTING and changes its address OUTPUT when the packet is about to go out, change the locally generated packet address-p before routing to indicate that the protocol-s to be checked specifies the source address. The address format can be network name, host name, IP address, or network address in address/mask format. Multiple IDs can be specified. Add them before-s! Indicates the target of the rule specified by the complement set-j, that is, how to do this if the data packet conforms to the rule; SNAT indicates modifying the source address of the data packet, the remaining data packets of this link are not checked -- to-source specifies the New source Address of the forwarded data packet under the SNAT option, which is set to 192.168.1.110, that is, the attacker's address.

For more information about iptables, see man iptables. The preceding commands describe the forwarding rules for outgoing data. The same is true if external data is to be forwarded to the attacked Host:

# Iptables-t nat-a prerouting-p tcp-d 192.168.1.110-j DNAT -- to 192.168.1.114 modify the destination address of the packet to 192.168.1.110 to 192.168.1.114 (attacked host) before local forwarding ), then forward it.

Other tools

To illustrate the principles above, we should separate arp poisoning and data forwarding. In fact, using existing tools, we can simply execute the above work, for example, using ettercap:

# Ettercap-I wlan0-Tq-M arp: remote/target // host/

One command can complete arp poisoning and forwarding. -M indicates that the MITM attack is specified.

Postscript

Once the man-in-the-middle attack succeeds and the target's Internet traffic is hijacked, the man-in-the-middle will do whatever he wants. It is easy to monitor the target's internet behavior, as if standing behind you 24 hours a day to watch you go online; or hijack the target cookie and use the target account to log on to websites such as Weibo, Baidu, and Douban, browsing its private data, posting, deleting, and so on; seriously responsible for phishing attacks, so that the target can download malicious programs or execute malicious scripts to threaten its computer security. Of course, there are also many ways to defend against such attacks. The simplest one is to bind a MAC address and send a reminder when the gateway's MAC address changes to prevent ARP attacks. In addition, it is best not to browse important private websites under public WiFi. In case of malicious people in the LAN, it is really "walking in the Sun.