Explanation of sniffing (passive SNIFFING) and ARP spoofing (Active sniffing)

There are many good posts and articles about the principles of sniffing and ARP spoofing on the network, but most of them ignore the data forwarding process on the network. In fact, using sniffing and ARP spoofing as the title is a bit confusing, because sniffing itself includes active sniffing and passive sniffing, and ARP spoofing is a separate technology, the purpose of spoofing is to allow data to pass through the local machine, that is, proactive sniffing = ARP spoofing + packet capture. Before learning about the principles of sniffing and ARP spoofing, We must transmit data packets in various network environments (such as exchange networks and shared networks, I will only discuss the exchange and sharing networks here. If no description is added, the three layers in the article refer to the network layer and the two refer to the data link layer.

 

I. data forwarding process in the network:

1. The data transmission process in the exchange network is as follows (PC1 sends packets to PC2)

Note: This figure is based on a public network. If the PC is an intranet or a private network is added, you must consider NAT at the egress.

A) PC1 finds that the destination IP address 110.1.1.2 (Network No. 110.1.1.0) is not in the same network segment as the Local Machine (the mask is 24 bits, so the local network No. 1.1.1.0). Therefore, PC1 will throw the data packet to the gateway, to ensure that data packets can reach the gateway, the MAC address of the gateway is used in the packets encapsulated in PC1 as the destination MAC address (the original destination IP address remains unchanged for network data transmission, the original target MAC will change continuously when it passes through a layer-3 network ).

B) after the data packet arrives at a layer-2 switch (only layer-2 switch is involved here, if a layer-3 switch is configured with a port IP address, it will be different, because layer-2 switches only disassemble the datagram to layer-2 (only to the original MAC) and do not understand the IP address, they will find the MAC-interface ing table (so-called virtual link creation ), if the gateway MAC port corresponds to the E5 port, the packet is dropped from the E5 port.

C) After receiving the data packet, the router R1 can view the original destination IP address (the router belongs to a layer-3 device and disconnects the data packet to the IP layer), check that the destination IP address of the data packet is 110.1.1.1, and then find the route table, if data is found to reach the destination network, the data packet must be sent at 218.1.1.2 next hop. Therefore, the router re-encapsulates the data packet and views the ARP table. The original IP address and destination IP address remain unchanged, change the original MAC address to the MAC address of the R1 outbound interface (the port connected to R2), and change the target MAC address to the R2 inbound interface (the MAC address of the R1 interface connected to R2 ), next, we will throw the data packet to r2.

D) After receiving the data packet, R2 performs the same operation as R1 until the data packet reaches the target. Based on the previous steps, the original IP address and destination IP address remain unchanged after the data packets arrive at the target. The original MAC address is the interface MAC of R2 connected to PC2, and the target MAC address is the MAC address of pc2. PC2 finds that the destination IP address and destination MAC address of the data packet are consistent with those of the local host (non-attacker), so as to disassemble the data packet and obtain the data packet content. The reply message is the same as the previous transmission.

 

2. Data Transmission diagram in the shared network (PC1 sends packets to PC2)

The only difference between data packet transmission and switching in the shared network lies in the second step. In the switching network, the switch will transmit data according to the MAC-port table, that is, besides the gateway (for example, the image ), other PCs under the same vswitch cannot receive data packets (in the absence of attacks ). In a shared network, because the HUB is a layer-1 device, the HUB broadcasts the packets (except the interface that receives the packets) for the data packets that arrive at it ), therefore, all the PCs connected to the same HUB can receive the message.

Note: Generally, the network adapter works in non-hybrid mode. That is to say, even if a data packet is received, the network adapter determines whether the target MAC is the same as its own. If it is different, it means that the data packet is not sent to itself, therefore, it is discarded and only receives the same data packets as the target MAC. The hybrid mode must be enabled during sniffing. In this mode, the NIC does not judge the data packets!

 

 

Ii. ARP spoofing:

1. Deception process and principles

From the above data packet transmission process, we can know that Layer 2 transmission is transmitted through MAC, and the PC needs to query the ARP table during transmission. Therefore, attackers can attack the target ARP table as long as they can, and then drag the data to their machines,

A) under normal circumstances, PC1 uses the local ARP table to know that the MAC address of the gateway 1.1.1.2 is 1.1.1.1 0260.8c01.1111. Therefore, when packaging the PC1 package, the target MAC address is set to the MAC address of the router. The vswitch can forward data packets from the E1 port to the vro through the MAC-port table for data transmission.

B) hackers have full control over PC2. By constantly sending (fake) ARP packets to PC1, the MAC corresponding to 1.1.1.1 is 0260.8c01.1113.

C) After receiving the hacker's ARP packet, PC1 refresh its ARP table and mistakenly mistake MAC 1.1.1.1 as 0260.8c01.1113.

D) The target MAC address of the PC1 data packet to be accessed from the Internet is set to 0260.8c01.1113 (the MAC address of PC2, which indicates that PC1 is cheated by its ARP table ).

E) The switch finds that the port corresponding to the target MAC is E4 (the interface of PC2, chain reaction!) By disassembling the package !), The data packet is dropped from the E4 port.

F) PC2 successfully receives the request message sent from PC1 to the Internet. When you peek at the packet and try again, the original IP address and destination IP address remain unchanged. Change the original MAC address to the MAC address of pc2. change the destination MAC address to the gateway address (the packet is restored to normal, it looks like the packet sent by PC1 when the attack is not carried out.) After PC2 is modified, it will throw the packet to the switch, thus spoofing the packet. Of course, for the response packet of this packet, because the router ARP table is not contaminated, the returned packets can be directly thrown to pc1.

 

2. How to select the direction of Spoofing

In the process of spoofing, it is also very important to select the correct direction of spoofing. by reading this article, we can see that the above direction of spoofing is pc1' gateway. So how can we determine the correct direction of deception?

A) on the employee's work network, we know that the normal request message contains a large amount of sensitive information, such as the website management background account password. The request packet is sent to the employee's PC à gateway. If the hacker's computer is in the same network segment as the employee's, the hacker will normally fool the employee's PC as the gateway to intercept request packets.

B) server network. In the IDC (server network), the Administrator generally accesses the server outside, that is, the request message is forwarded by the gateway to the server, that is to say, the direction of request packets is the gateway server. If hackers control a server in the data center, in order to intercept sensitive information such as the server login password in the request message, attackers generally initiate spoofing on the gateway and tell the gateway that it is a certain server or a certain number of servers.

C) In fact, regardless of the employee's network or the internal network of the data center, hackers are more accustomed to two-way spoofing. On the one hand, they tell the gateway that they are some terminals, and on the other hand, they tell other terminals in the same network segment that they are gateways, however, this method generates a large amount of junk information, because basically no sensitive information is carried in response packets.

3. ARP spoofing bottleneck

To get more sensitive information, many people use two-way + batch spoofing methods, on the one hand, it tells the gateway that the IP corresponding to its MAC is all IP addresses in the network segment (no matter which server the data packet is sent, as long as it is sent to the same network segment, the gateway will forward it to the attacker); on the other hand, it is easier to deceive all terminals in the same network segment as the gateway itself (in fact, it is easier to deceive all terminals in the same network segment, directly set the target mac of the ARP packet to a FF-FF-FF-FF-FF-FF), so that all messages sent by the terminal will pass through the attacker's machine. However, in this case, the machine controlled by the attacker directly carries the data traffic of the entire network segment. The data of the entire network segment must be processed, reencapsulated, and forwarded, this is not an extremely demanding requirement on server performance and configuration. Therefore, it is very important to select the target and direction of spoofing.

 

 

Iii. Differences between sniffing and ARP Spoofing

A) sniffing generally exists in a shared network. In a shared network, the HUB is generally used as the access layer. No matter what the data packets passing through the HUB look like, because the HUB works on the first layer, I don't know what the packets above Layer 2 look like, so they are all broadcast processed. Computers in the same network segment only need to set the NIC to the hybrid mode.

B) sniffing is not applicable in the switching network. Because the switch forwards data packets through the MAC-port table, if only the NIC is set to the hybrid mode in the switching network, without ARP spoofing, the results can only accept broadcast packets in the network.

C) ARP spoofing is applicable to shared networks. This is an option that affects network traffic and the network, in addition, ARP spoofing can generate a large number of ARP packets, which are easy to detect. However, sniffing has almost no impact on the entire network, because sniffing only listens without generating redundant data packets.

 

Iv. Security of Encryption

Many people say that using HTTPS or VPN can prevent sniffing or ARP spoofing, which is not comprehensive. The specific network and technology. Next I will discuss HTTPS and VPN in the sharing and switching networks.

1. Shared Network + sniffing

A) using HTTPS in a shared network can effectively solve the problem of data theft (except for the disclosure of personal certificates). The host cannot be decrypted because the server to be listened to has no certificate.

B) The use of VPN technology in the shared network may not be prevented. Some VPN technologies only add an IP header to the original data packets, and the data content is not encrypted, attackers can still use the monitoring technology to obtain the content of packets.

2. Switching Network + ARP sniffing

In principle, this type of attack is a man-in-the-middle attack, which can forge any certificate. Therefore, for HTTPS, an attacker can obtain the plaintext information of the data by stealing the bar and forging the certificate. However, some protocols that use a KEY that does not pass the public network transmission (for example, SSH that uses publikey verification, the KEY does not pass the network transmission) cannot intercept plaintext information or forge it.

3. Shared Network + ARP Spoofing

This type of attack is no different from the attack in section 2nd, so we will not discuss it in detail.

 

5. How to Prevent ARP spoofing and sniffing.

In fact, there are already many solutions on the Internet, but here is a simple prevention method. Part 4 is also mentioned.

In the exchange network, two-way binding is generally used to solve the ARP spoofing problem. Some cool say that the MAC spoofing switch can be directly forged, which is also a bypass method, however, in fact, this method is not highly feasible. Although sometimes data packets can be intercepted, the MAC-port table of the switch may cause confusion, in addition, if the message is sent to you, it will not be sent to the target server, and a denial of service attack will occur.

It is theoretically ineffective to use bidirectional binding in a shared network, because as long as data passes through the HUB is broadcast, even if it is bound, all terminals will receive data packets. Unlike L2 switches, The Hub does not have a MAC-port table.

 

Of course, for the principles, utilization, and defense of sniffing and ARP attacks, this article is just a bit of my experience and is for reference only. If we say so much about ARP attacks, A cain, a sniffer, and an ettercap can be completely done.