Man-in-the-middle attack-principles, practices, and defense of ARP Spoofing

0 × 01.1What is gateway

First, let's briefly explain what a gateway is. The Gateway works in the transport layer or application layer of the OSI Layer-7 model and is used for the connection between different networks of the high-level protocol. Simply put, A gateway is like a door connecting a room to another room.

 

0 × 01.2 ARPWhat is the protocol?

ARP (Address Resolution Protocol) Address translation Protocol works at the data link layer of the OSI model. In Ethernet, network devices communicate with each other using MAC addresses instead of IP addresses, ARP is used to convert an IP address to a MAC address. In contrast to ARP, RARP is a reverse address translation protocol that converts MAC addresses to IP addresses.

Assume that A (192.168.1.2) and B (192.168.1.3) are in the same LAN, and A needs to communicate with B. A first sends A packet to the broadcast address (192.168.1.255). The packet contains the source IP address (A), source MAC address, destination IP address (B), and destination MAC address, this packet will be sent to all hosts in the LAN, but only host B will reply A packet containing the Source IP (B), source MAC, destination IP (), the destination MAC packet to A, and host A will save the returned address in the ARP cache table.

 

0 × 01.3 ARPSpoofing Principle

As mentioned above, the ARP cache table has an ARP cache table on each host. The cache table records the correspondence between IP addresses and MAC addresses, LAN data transmission relies on MAC addresses.

Assume host A 192.168.1.2, B 192.168.1.3, C 192.168.1.4; Gateway G 192.168.1.1; In the same LAN, host A and host B communicate with each other through the gateway G, like two people writing letters to A and B, C will never know what A and B have said. However, it is not as secure as imagined. There is a defect in the ARP cache table mechanism, that is, when the Request Host receives the ARP response packet, if you do not verify that you have sent an ARP request packet to the host, you can directly store the IP address and MAC address in the returned packet in the ARP cache table, if the original IP address is the same, the original IP address is replaced.

In this way, C has the possibility of eavesdropping on the conversation between A and B. Continue to think about the above example:

C pretend to be A postman, first tell A: "I am A postman" (host C sends A constructed response packet to A, the source IP address is G 192.168.1.1, the source MAC address is the MAC address of C). Stupid A easily believes that the message "C is A postman" is recorded in his mind;

C then pretends to be A and tells the Postman: "I am A" (C sends A constructed return packet to the Gateway G. The source IP address is A 192.168.1.2 and the source MAC address is its own MAC address ), I believe it when I think about it, and then I send A letter from B to C. Of course, C can know what A and B talk about.

The story of ABCG above is the principle of ARP two-way spoofing.

ARP one-way spoofing is better understood. C Only sends A return packet to A, telling A: the MAC address of G 192.168.1.1 is 5c-63-bf-79-1d-fa (an incorrect mac address ), A records this information in the cache table, while G's cache table remains unchanged. That is to say, A gives the data packet to C, while G's package still gives, this is ARP one-way spoofing.

 

0 × 02.1PracticeARPSpoofing

ARP spoofing, also known as ARP poisoning, is a man-in-the-middle attack. I use a virtual machine to simulate the whole process of ARP spoofing.

First, let's take a look.

By default, records of gateway IP addresses and MAC addresses exist in the ARP cache table.

Check the ARP cache table of the target host.

 

Target IP address and local IP Address

 

IP forwarding must be enabled before arp spoofing. Otherwise, the target will be disconnected from the network and the target will be noticed by the other party.
Sysctl-w net. ipv4.ip _ forward = 1 or echo 1>/proc/sys/net/ipv4/ip_forward

IP forwarding enabled successfully

 

Send a response packet to the destination 192.168.124.small, containing the following content:

Source ip Address: 192.168.124.2

Source MAC: 00: 0c: 29: 86: a1: 04

Now let's look at the ARP cache of the target host.

 

It can be seen that the arp cache of the target host has changed. The MAC of the Gateway (192.168.124.2) recorded in the cache table has changed to the MAC of the attacker.

The above is a simple ARP spoofing.

 

0 × 02.2 ARPDangers of deception

Communication between hosts in the LAN will be affected. If gateway spoofing occurs, the Internet will also be affected.

Hackers can use ARP spoofing to steal sensitive user information and mount Trojans.

Here is a simple example of ARP spoofing sniffing Telnet Account Password

 

 

0 × 03How to PreventARPSpoofing

1. Bind the gateway MAC and IP address to the host as static (dynamic by default). Command: arp-s gateway IP Gateway MAC

2. Bind the host MAC address and IP address to the Gateway

3. Use the arpfirewall