Cracking of MAC address and IP Address binding policy

The vast majority of IP address theft solutions adopt MAC and IP Address binding policies. This approach is very dangerous and will be discussed in this article. Here, we need to declare that this article is concerned about the security of MAC and IP Address binding policies, without hacking. 1.1 why do you need to bind MAC addresses and IP addresses to affect network security?

The vast majority of "ip address theft" Solutions adopt MAC and IP Address binding policies. This approach is very dangerous and will be discussed in this article. Here, we need to declare that this article is concerned about the security of MAC and IP Address binding policies, without hacking.
1.1 why do I need to bind a MAC address to an IP address?
There are many factors that affect network security. IP address theft or address spoofing are common and harmful factors. In reality, many network applications are IP-based. For example, traffic statistics and account control all use IP addresses as an important parameter to mark users. If a legitimate address is stolen and disguised as a legitimate user, the data transmitted over the network may be damaged, eavesdropped, or even stolen, causing irreparable losses.
It is difficult to steal the IP address of an external network because vro and other network interconnection devices generally set the IP address range through each port. packets that do not fall within the IP address range cannot pass through these interconnection devices. However, if the IP address of a valid user inside the Ethernet is stolen, this network interconnection device is obviously powerless. If the IP address inside the Ethernet device is stolen, the corresponding solution is also available. Binding MAC addresses and IP addresses is a common, simple, and effective measure to prevent internal IP address theft.
1.2 How MAC and IP address are bound
It is easy to modify the IP address, while the MAC address is stored in the EEPROM of the NIC, And the MAC address of the NIC is uniquely identified. Therefore, in order to prevent internal personnel from using illegal IP addresses (for example, stealing IP addresses of persons with higher permissions to obtain information beyond permissions), you can bind the IP addresses of the internal network to the MAC address, even if the IP address is modified, the hacker fails to steal because the MAC address does not match. In addition, because the MAC address of the NIC is unique and deterministic, the hacker can find the NIC that uses the MAC address based on the MAC address, then the hacker is detected.
Currently, many internal networks, especially Campus Networks, use the MAC address and IP Address binding technology. Many firewalls (hardware firewalls and software firewalls) have built-in MAC address and IP Address binding functions to prevent IP addresses from being stolen.
On the surface, binding MAC addresses and IP addresses can prevent internal IP addresses from being stolen. However, due to implementation technologies such as protocols at different layers and nic drivers, binding MAC addresses to IP addresses has many drawbacks, it does not really prevent the theft of internal IP addresses.

2. Crack MAC and IP Address binding policies
2.1 Introduction to IP addresses and MAC addresses
The current TCP/IP network is a layer-4 protocol structure, from bottom to top is the link layer, network layer, transport layer and application layer.
The Ethernet protocol is a link layer protocol and the MAC address is used. The MAC address is the hardware identifier of the Ethernet NIC. When the NIC is created, it is stored in the EEPROM of the NIC. The MAC addresses of NICs are different. a mac address can uniquely identify a network card. Each packet transmitted over the Ethernet contains the MAC address of the NIC that sends the packet. Ethernet identifies the sender and receiver of a packet based on the source MAC address and destination MAC address in the Ethernet packet header. The IP protocol is applied to the network layer and the IP address used is the IP address. The IP protocol is used for communication. Each IP packet header must contain an active IP address and a destination IP address to indicate the sender and acceptor of the IP packet. When the IP protocol is used to transmit packets over Ethernet, the IP packet is used as the data of the Ethernet packet. IP addresses are transparent to Ethernet switches or processors. You can configure one or more IP addresses for the network card as needed. There is no one-to-one relationship between MAC addresses and IP addresses.
The MAC address is stored in the ENI's EEPROM and uniquely identified. However, when the NIC Driver sends an Ethernet packet, it does not read the MAC address from the EEPROM, but creates a cache area in the memory, the source MAC address of the Ethernet packet. In addition, you can modify the source MAC address of the actually sent Ethernet packet through the operating system. Since the MAC address can be modified, the binding between the MAC address and the IP address will lose its original meaning.
2.2 cracking Solution
Both the internal server and external server provide Web Services, and the firewall binds the MAC address and IP address. If the source MAC address and 1P address pair in the packet cannot match the MAC address and 1P address pair set in the firewall, they will not be able to pass through the firewall. Both host 2 and internal server are valid machines in the internal network; HOST 1 is a new machine added to the experiment. The installed operating system is W2000 Enterprise Edition and the NIC is 3Com.
Test host modification required
1. The MAC and IP addresses of the NIC are the MAC and IP addresses of the stolen device. First, select "network and dial-up connections" in the control panel, select the corresponding Nic, right-click the NIC, and select Properties, click "configuration" on the "General" page of the property page. Select "advanced" on the configuration properties page, and then select "Network A" in the "properties" column.DdRess, select the input box in the value column, and then modify the MAC address of the stolen device in the input box.
Then, configure the IP address as the IP address of the stolen device. Intranet Client IP address theft: Change the MAC address and IP address of Host 1 to the MAC address and IP address of host 2 respectively. HOST 1 can access the external server and can smoothly use the firewall. The access permission is different from host 2. In addition, host 2 can access the external server normally without being affected by HOST 1. Neither host 2 nor firewall can detect HOST 1. HOST 1: If you access an internal server, you do not need to go through the firewall.
Intranet Server IP address theft: Change the MAC address and U address of host 1 to the MAC address and IP address of the internal server. HOST 1 also provides Web Services. To make the effect more obvious, the Web service content provided on Host 1 is different from that provided by internal servers.
In the actual experiment, HOST 1 and host 2 are connected to the same HUB. The access request of host 2 is always first responded by HOST 1, and host 2 is expected to access the internal server, what you get is always what HOST 1 provides. Generally, if host 2 tries to access the internal server, whether the content provided by host 1 or the content provided by the Internal Server is random depends on who responds to the access request first, in the subsequent analysis, we will further elaborate on this.
Theft of the MAC and IP address of the server may cause greater harm. If the Web content provided by host 1 is the same as that of the internal server, host 2 cannot identify which machine it accesses; if the Web content requires the user account, password, and other information, the information is displayed at a glance for HOST 1.