Practice: Use the packet capture method to solve ARP virus spoofing attacks

Recently, there have been frequent disconnection of hosts on the network. It was normal at the beginning, but the disconnection may occur after a period of time, sometimes very fast recovery, but sometimes it may take several minutes, this has a huge impact on the work. Initially, I suspected whether it was a physical error. In short, I started to check the most easy-to-start items. No exceptions were found after the check! I suddenly think of the most popular ARP attacks on the Internet, and the fault of ARP attacks is very similar! For ARP attacks, the common method is hard to identify and judge, and packet capture analysis is required.

1. Principles

Before solving the problem, we should first understand the principles of ARP.

ARP principle:

First, each host creates an ARP list in its own ARP buffer (ARPCache) to indicate the correspondence between the IP address and the MAC address. When the source host needs to send a packet to the target host, it first checks whether the MAC address corresponding to this IP address exists in its ARP list, if yes, the packet is directly sent to the MAC address. If no, a broadcast packet for the ARP request is sent to the subnet segment to query the MAC address of the target host. This ARP request packet includes the IP address of the source host, the hardware address, and the IP address of the target host.

When all hosts in the network receive this ARP request, they will check whether the destination IP address in the packet is consistent with their own IP address. Ignore this packet if they are different. If they are the same, the host first adds the MAC address and IP address of the sender to its ARP list. If the ARP table already contains information about this IP address, then it overwrites the packet and sends an ARP response packet to the source host, telling the other host that it is the MAC address it needs to find. After the source host receives the ARP response packet, add the IP address and MAC address of the target host to your ARP list and use this information to start data transmission. If the source host has not received the ARP response packet, ARP query fails.

ARP spoofing principle:

First, we simulate an environment:
Gateway: 192.168.1.1 MAC address: 00: 11: 22: 33: 44: 55
Spoofing host A: 192.168.1.100 MAC address: 00: 11: 22: 33: 44: 66
Spoofed Host B: 192.168.1.50 MAC address: 00: 11: 22: 33: 44: 77

Spoof host A keeps sending ARP response packets to the gateway, telling the gateway that host B is 192.168.1.50, so that the gateway will trust the spoof host, in the ARP cache table of the gateway, the MAC address corresponding to 192.168.1.50 is the MAC address 00: 11: 22: 33: 44: 66 of host, the traffic sent by the gateway to host B is forwarded to host A. In addition, host A continuously sends ARP requests to host B. Host B believes host A is the gateway, in the cache table of host B, there is a record for 192.168.1.1 corresponding to 00: 11: 22: 33: 44: 66, in this way, the data traffic that host B actually sends to the gateway will be forwarded to host A. It means that the communication between host A and gateway passes through host, host A acts as A man-in-the-middle to forward data between each other. This is ARP spoofing.

2. Solution

It seems that only packet capture is needed. First, I set the port image of the switch, and then I collected all the data from the network by setting the computer access port of the analysis system. Through several views, I got the analysis result: the diagnostic view prompts that there are too many "ARP no request responses ".

During the diagnosis, I found that almost all the ARP responses initiated by 00: 20: ED: AA: 0D: 04 were large. In addition, the system prompts that ARP spoofing may exist in the reference information. It seems that I am in the right direction, but for further determination, I have to combine other content information. View the Protocol view to learn more about the ARP protocol,

The difference between ARPResponse and ARPRequest is too large, which is not normal. Next, let's look at the data packet details.

I have already seen the problem from the packet information. 00: 20: ED: AA: 0D: 04 indicates that the host of the network segment 192.168.20.in the spoofing network is telling everyone that it is a gateway, I want to act as a man-in-the-middle. The communication traffic of the spoofed host is "reviewed" by him.

Now it is basically determined to be an ARP spoofing attack. Now I need to check which host is the MAC address's host 00: 20: ED: AA: 0D: 04, fortunately, I recorded the MAC addresses of all internal hosts and their corresponding tables at ordinary times, and finally found out the real target host. The ARP virus may be detected, and the Network Anti-Virus is immediately disconnected. The network is normal! The whole world is quiet again!

3. Summary (fault principle)

Let's review the above ARP attack process. Host with MAC address: 00: 20: ED: AA: 0D: 04. Scan all hosts that attack the CIDR Block 192.168.20.and tell it to be the gateway, the data of the spoofed host is sent to the host whose MAC address is 00: 20: ED: AA: 0D: 04, but from the packet I crawled, the MAC address is 00: 20: the host of ED: AA: 0D: 04 has not deceived the real gateway, so our network may be disconnected.

4. Additional content

We can still prevent ARP attack faults. The following three methods are common:

Method 1: record the MAC addresses of each host at ordinary times. When a problem occurs, you can use the MAC address scanning tool to scan the MAC address of the host in the current network, you can also find the problematic host by referring to the previous record.

Method 2: The ARP-S can run the following command in the MS-DOS window: ARP-S manually bound gateway IP and gateway MAC. Static binding can reduce attacks as much as possible. It should be noted that the manual binding will expire after the computer is restarted and needs to be bound again. However, we can create a batch file to reduce some cumbersome manual binding!

Method 3: using the software (Antiarp) using antiarpsnifer can prevent Packet Intercept using ARP technology and prevent Sending address conflict packets using ARP technology.