Enterprise ARP spoofing analysis and defense: Same Network Segment ARP spoofing Analysis

In a network environment that implements TCP/IP, the route table defines where an IP packet is going and how it is going. However, when an IP packet reaches the network, which machine responds to this IP packet is identified by the hardware MAC address contained in this IP packet. That is to say, only machines with the same hardware MAC address as the hardware MAC address in the IP packet will respond to this IP packet, because in the network, each host will send an IP packet, therefore, there is an arp --> hardware MAC conversion table in the memory of each host. It is usually a dynamic conversion table (this arp table can be manually added with static entries ). That is to say, the corresponding table will be refreshed by the host after a certain interval. This interval is the timeout time of ARP cache. Generally, before the host sends an IP packet, it needs to find the hardware MAC address corresponding to the IP packet in the conversion table. If the IP packet is not found, the host sends an ARP broadcast packet, the host refreshes its ARP cache. Then the IP package is sent out.

After learning about this knowledge, we can now introduce how ARP spoofing occurs in the Ethernet. Let's take a look at the next example.

Same Network Segment ARP spoofing Analysis

As shown in the following figure, the IP addresses and MAC addresses of the three hosts are distributed as follows:

A: IP address 192.168.0.1 hardware address AA: AA;

B: IP address 192.168.0.2 hardware address BB: BB;

C: IP address 192.168.0.3 hardware address CC: CC.

An intruder located in host B wants to illegal access to host A, but the host is installed with A firewall. By collecting information, he knew that the firewall of host A only had A trust relationship with host C (open port 23 (telnet )). But he must use telnet to access host A. What should he do at this time?

Intruders must make host A believe that host B is host C. If the trust relationship between host A and host C is built on the IP address. If the IP address of host B is changed to the same as that of host C, it cannot work, at least it cannot work reliably. If you tell the driver of the Ethernet card that your IP address is 192.168.0.3, This is a pure competition and cannot be achieved. We can first study the machine C. If we can temporarily drop the machine, the competition can be removed. This is still possible. When machine C goes down, change the IP address of machine B to 192.168.0.3. In this way, you can successfully telnet to machine A through port 23, and bypass the firewall restrictions.

The above idea does not work in the following cases. If the trust relationship between host A and host C is based on the hardware address. In this case, you also need to use ARP spoofing to change the hardware address mapped to 192.168.0.3 In the ARP cache of host A to the hardware address of host B.

We can artificially create an arp_reply response packet and send it to the host to be spoofed. This is possible because the Protocol does not stipulate that the response packet can be sent only after arp_echo is received. There are many such tools. We can also use Wireshark to capture an arp response packet and then modify it.

This package can be made artificially. You can specify the source IP address, target IP address, source MAC address, and target MAC address in the ARP packet. In this way, you can use A false ARP response packet to modify the dynamic ARP cache on host A for spoofing purposes.

The procedure is as follows:

He first studied the 192.0.0.3 host and discovered the vulnerability.

Host C is down based on the discovered vulnerabilities and stops working temporarily.

During this period, intruders changed their IP address to 192.0.0.3.

He used A tool to send A packet with the source IP address 192.168.0.3 and the source MAC address BB: BB to host A, and asked host A to update its ARP conversion table.

The host updates the IP address --> MAC relationship of host C in the ARP table.

If the firewall fails, the compromised IP address becomes a valid MAC address, and you can telnet.

The above is an ARP spoofing process, which occurs in the same network segment. However, note that the above method does not work when B and C are in different network segments.