ARP spoofing technology

When you patch a system, it is only a basic step in security measures. A hacker usually needs to enter your system. What he wants to do is not to be avoided by patching. You must be familiar with all these frauds. Network The underlying knowledge and reasonable arrangement of physical wiring can be prevented, especially when multiple methods are used.

Note: Some people often think that they will use some tools to intrude into the system and think they are hacker. In fact, this is only an entry point (some cannot be found ). Through this article, I want to let people know that when a hacker really invades the system, he does not rely on software written by others. This goal is achieved by in-depth understanding of systems and networks.
　　
　　
　　
First, let's talk about arp. If you areUNIXInput ARP-A in Shell (9x). Your output should look like this:
　　
Interface: XXX. XXX
　　
Internet address physical address type
　　
XXX. XXX 00-00-93-64-48-d2 dynamic
　　
XXX. XXX 00-00-b4-52-43-10 dynamic
　　
...................
　　
The first column shows the IP address, the second column shows the hardware address (MAC) of the network interface card corresponding to the IP address, and the third column shows the corresponding relationship type between the IP address and Mac.
　　
It can be seen that ARP is a physical address that converts an IP address into a NIC corresponding to an IP address.ProtocolOr ARP is a protocol that converts an IP address into a MAC address. It relies on a table stored in the memory to enable the IP address to be responded by the target machine on the network.
　　
Why convert an IP address to a MAC address? Simply put, this is because in the TCP network environment, the route table defines how an IP packet goes. However, when the IP packet arrives at the network, the machine that responds to the IP packet is identified by the MAC address contained in the IP packet. That is to say, only machines with the same MAC address as the MAC address in the IP packet will respond to this IP packet. In the network, each host sends an IP packet. Therefore, there is an ARP --> Mac conversion table in the memory of each host. It is usually a dynamic conversion table (note that the ARP table can be set to static in the routing ). That is to say, the corresponding table will be refreshed by the host as needed. This is becauseEthernetTransmission on the subnet layer is determined by a 48-bit MAC address.
　　
Generally, before a host sends an IP packet, it needs to find the MAC address corresponding to the IP packet in the conversion table. If not found, the host sends an ARP broadcast packet, which looks like this:
　　
"I'm host XXX. Mac is xxxxxxxxxxx, IP is XXX. xx1. Please tell your Mac"
　　
The host whose IP address is XXX. xx1 responds to this broadcast, and the reply ARP broadcast is:
　　
"My name is XXX. xx1, and my Mac is xxxxxxxxxx2"
　　
As a result, the host refresh its ARP cache and then issue the IP package.
　　
After learning about these common sense, we can now talk about how to implement ARP spoofing in the network. Let's take a look at this example:
　　
An intruder wants to illegally access a host. He knows that the firewall of this host only opens 23 ports (Telnet) for the 192.0.0.3 IP address ), but he must use Telnet to access this host, so he needs to do this:
　　
1. He first studied the 192.0.0.3 host and found that the 95 host would use an OOB to let him die.
　　
2. Therefore, he sent a flood package to the 139 ports of 192.0.0.3, and the machine died.
　　
3. At this time, the IP packet sent from the host to 192.0.0.3 cannot be answered by the machine, and the system starts to update its ARP table. Release the 192.0.0.3 project.
　　
4. During this period, intruders changed their IP address to 192.0.0.3.
　　
5. He sends a ping (ICMP 0) to the host and requires the host to update the host's ARP conversion table.
　　
6. Find the IP address on the host, and add a new IP Address --> Mac in the ARP table.
　　
7,FirewallInvalid. The compromised IP address becomes a valid MAC address. You can telnet.
　　
Now, if the host not only provides telnet, but also provides R commands (such as RSH, rcopy, and rlogin), all security conventions will be invalid, intruders can safely use the resources of this host without worrying about being recorded.
　　
Some people may say that this is actually fraudulent use of IP addresses. IP spoofing is more complicated than IP spoofing, and the implementation mechanism is completely different.
　　
The above is an ARP spoofing process, which occurs in the same network segment. However, it is important to note that ARP spoofing cannot be prevented by using an exchange hub or bridge. Only route segments are effective measures to prevent ARP spoofing. (That is, IP packets must be forwarded through routes. In the case of route forwarding, ARP spoofing, in combination with ICMP spoofing, will cause great harm to the network. From a certain point of view, intruders can intercept any two points of communication in the routing listening network. If a firewall is set, please note whether the firewall prompts such information as "xx ip is a local IP but it is from XX route.
　　
In the case of route forwarding, the corresponding IP address is the MAC address of the route.
　　
For example, PingWww.cns911.comIn my host, the corresponding IP address of www. cns911.com is not the MAC address of cns911, but the MAC address of my route, and its IP address is also the IP address of my route. (Some network software can obtain the MAC address of the remote IP address through ARP switching ).
　　
　　
If you are interested in taking a further step, consider the following situation:
　　
Suppose the intruder suddenly thought: I have to go through a route to go to the host with a firewall !!!
　　
The intruder began to think:
　　
1. My machine can enter that CIDR block, but it does not use a 192.0.0.3 IP address.
　　
2. if I use that IP address, even if the machine with the genuine version 192.0.0.3 is dead, the machine in the network will not throw the IP packet to the route.
　　
3. Therefore, I want to cheat the host to throw the IP packet to the route.
　　
This goal can be achieved through a variety of spoofing techniques. So he started to do this:
　　
1. In order to make the illegal IP packet sent by the user more active on the network for a long time, start to modify the TTL to prepare for possible problems in the following process. He changed the TTL to 255. (TTL defines the time for an IP packet to survive on the network if it cannot reach the host on the network. In this example, it is helpful to make enough broadcasts)
　　
2. He took out a floppy disk, which he used before.SnifferVarious types of IP packages.
　　
3. He uses a valid IP address to enter the network, and then, like above, sends a flood package to let the genuine 192.0.0.3 die, and then uses 192.0.0.3 to enter the network.
　　
4. After the host on the network cannot find the MAC address of 192.0.0.3, the corresponding ARP table is updated. So he quickly modified the ARP broadcast packet data in the floppy disk, and then said to the network broadcast, "the Mac that can respond to IP address 192.0.0.3 is me ".
　　
5. Now every host knows that a new MAC address corresponds to IP address 192.0.0.3, and an ARP spoofing is completed. However, each host will onlyLanAnd will not throw the IP packet sent to 192.0.0.3 to the route. So he has to construct an ICMP redirection broadcast.
　　
6. He started to modify the ICMP broadcast packet data in the floppy disk and sent the packet to the host on the network: "the shortest route to 192.0.0.3 is not a LAN, but a route. Please redirect the host to your route path and throw all IP packets destined for 192.0.0.3 to the route. "
　　
7. The host accepts this reasonable ICMP redirection, so it modifies its route path and throws IP communication for 192.0.0.3Vro.
　　
8. The attacker can finally receive an IP packet from the host in the route. The attacker can telnet to port 23 of the host using IP address 192.0.0.3.
　　
Note: This is just a typical example. In practice, you need to consider more than that.