Parsing a man-in-the-middle attack (---) ARP cache poisoning

This series will discuss the most commonly used form of man-in-the-middle attack, including ARP cache poisoning attacks (ARP caches poisoning), DNS spoofing (DNS Spoofing), HTTP session hijacking, and so on.

　　Introduction

The most common network attack for attacking individuals and businesses is a man-in-the-middle attack (MITM). As an active eavesdropping attack mode, the middle man attacks mainly by establishing a connection with the target machine and transmitting the information between the target machines to launch the attack. In this case, the user thinks he or she is communicating directly with another user, and in fact, traffic through the host is attacking the user. The end result is that the attacking host can not only intercept important information, but also inject the data stream to further control the victimized user.

In this series of articles, we will discuss the most commonly used form of man-in-the-middle attack, including ARP cache poisoning attacks (ARP caches poisoning), DNS spoofing (DNS Spoofing), HTTP session hijacking, and so on. In reality, you'll find that most of the victims are using Windows systems, so we'll analyze in detail the man-in-the-middle attacks when running different versions of Windows systems.

　　ARP cache poisoning

In this article we will focus on ARP cache poisoning, which is also the earliest form of attack in the modern man-in-the-middle attack, ARP cache poisoning (sometimes referred to as ARP poisoning route) can let the victim user on the same subnet of the attacker to steal all the users of the network nostalgia. We first discuss this form of attack because it is the most easily executed form of attack, but it is also the most effective form of attack.

　　Normal ARP Communication

The main purpose of the ARP protocol is to simplify the translation of addresses between the second and third layers of the OSI model. The second layer (also known as the data Link layer) uses the MAC address so that the hardware device can communicate directly within a small range. The third layer, the network layer, uses IP addresses (the most common form) to create large-scale networks that connect users around the world. The data link layer processes connected devices directly, and the network layer processes the devices that are directly and indirectly connected, each with its own address form, and they must work together to achieve network communication. It is for this reason that ARP is created together with the RFC826 (Ethernet Address Resolution Protocol).

　　

Figure 1:arp Communication Process

The ARP operation is actually carried out around two packets: ARP request and ARP reply. The purpose of the request and reply is to determine the hardware MAC address associated with a specific IP address so that traffic can find its destination on the network. Request packets are sent to each device on the network segment and send out a message "My IP address is XX.XX.XX.XX, my MAC address is XX:XX:XX:XX:XX:XX, I need to send the information to this IP address XX.XX.XX.XX, but I do not know its hardware address, please this IP address to reply to my MAC address? " Reply will be in the form of ARP reply packet, and reply said "Hello, delivery device, I am the IP address you are looking for XX.XX.XX.XX, my MAC address is XX:XX:XX:XX:XX:XX", after receiving the reply, the delivery device will update its ARP cache table, The device can then communicate with another device.

　　Cache poisoning

ARP cache poisoning exploits the nature of the insecure ARP protocol. The ARP protocol differs from other protocols, such as that the DNS protocol can be configured to accept only secure dynamic updates, while devices that use ARP can accept updates at any time. This means that any machine can send ARP reply packets to another host and force the host to update its ARP cache. When an ARP reply is sent without generating a request, it becomes an invalid ARP at this time. When a malicious attacker places some invalid arp in this way, the user thinks they are communicating with another user, and is actually communicating with the attacker who stole the information.

　　

Figure 2:arp Cache poisoning interception communication

　　Using Cain & Abel Tools

Let us analyze from a specific situation, an attacker would use several different tools to perform the necessary steps to poison the victim's ARP cache, and we will use the Common Security Tools Cain & Abel to simulate cache poisoning attacks. Cain & Abel is a very effective security tool, and the installation process is simple.

Before you begin to simulate cache poisoning, you need to collect some information, including the network interface you want to use for this simulated attack, and the IP address of two communications victims.

When you first open the Cain & Abel Tool, you will find a lot of tabs at the top of the window, we just need to use the sniffer option, and when you click this button you will see an empty table. In order to complete this form, you need to activate the program's built-in sniffer and scan your network.

　　

Figure 3:cain&abel Sniffer options for tools

Click the Second icon on the toolbar, similar to a network card. For the first time, you will be asked to select the interface you wish to sniff, which should be connected to the interface where you are going to execute the ARP cache poison attack. After selecting the interface, click OK to activate Cain & Abel's built-in sniffer. The toolbar icon is dimmed at this point. To create a list of valid hosts on your network, you need to click on the main toolbar like the + symbol and click Confirm.

　　

Figure 4: Scan Host

The previous empty table now fills the host name on all connected networks, as well as the MAC address, IP address, and vendor authentication information, which is advantageous for initiating ARP cache poisoning attacks.

At the point of the program window, you will see a set of tabs that will lead you to the other windows of the sniffer. Now that you have established the host list, you need to start with the ARP tag and click on the tag to switch to the ARP window.

After you open the ARP window, you will see two empty tables: The table above and the following table. After setting up these two tables, the table above shows the devices involved in ARP cache poisoning, and the following table shows all communication between the poisoned machines.

Click on the icon of the + symbol on the Standard toolbar of the program to continue setting ARP poisoning, the displayed window has a two-side selection column, and on the left, you will see a list of all valid hosts. Click on one of the IP addresses, and you will see that the right window shows all the hosts on the network without displaying the IP address you have chosen. In the right window, click another victim's IP address, and then click Confirm.

　　

Figure 5: Selecting an attack host for cache poisoning

The IP addresses of these devices are now listed in the table in the main program window, and in order to do this, click the yellow-Black radial symbol on the Standard toolbar. This activates the ARP cache poisoning feature of Cain & Abel and allows the system to become the middleman for all communication between the victim machines. If you're curious about what's going on behind the scenes, you can install Wireshark and eavesdrop on the interface, and you'll soon see the traffic between the compromised computers.

　　

Figure 6:arp Communication Injection

Once you have done this, you can stop the ARP cache poisoning by clicking the Yellow-Black launch symbol again.

　　Defending against ARP cache poisoning

From the defender's point of view ARP cache poisoning attacks appear to be in a disadvantageous position, the ARP process in the background, we are difficult to control. There is no universal solution, you can use active and passive stance to consider ARP cache poisoning.

Secure your LAN

ARP cache poisoning is indeed a feasible attack technique for intercepting communication between two hosts located on the same LAN, but the ARP cache poisoning attack can pose a real threat only if the local device on the network is compromised, if the trusted user has malicious intent, or if a user attempts to access the untrusted device to the network. While we tend to focus primarily on securing the perimeter of the network, it is absolutely better to protect against internal threats and ensure internal security.

　　Hard-coded ARP cache

The way to defend against the threat of the dynamic nature of ARP requests and replies is to make this process less dynamic, because the Windows System host allows other static table entries to enter the ARP cache, and you can view the ARP cache for Windows systems by opening a command prompt and entering the ARP-A command.

　　

Figure 7: Viewing the ARP cache

You can add table entries to this list by using this command arp–s.

If your network configuration is not constantly changing, it is entirely possible to make a list of static ARP table entries and deploy the table entries to the client through an automated script. This ensures that the device always relies on the local ARP cache instead of relying on ARP requests and replies.

　　Use third-party programs to monitor ARP traffic

Another way to protect against ARP cache poisoning attacks is to monitor the host's network traffic through a passive approach, which can be monitored through intrusion detection systems such as snort, or other monitoring tools such as Xarp. This can be a simple thing for a host, but it's not that simple for the entire network.

　　Summarize

ARP cache poisoning is the most effective way to attack in a man-in-the-middle attack because it is very easy to execute and is a huge threat to modern networks and is difficult to detect and defend against.

Note: Transferred from the IT specialist network

Resolving man-in-the-middle attacks (---) ARP cache poisoning