Sniffing and session hijacking without ARP Spoofing

Technical Principle of sniffing and session hijacking without ARP spoofing. The actual attack method is Mac spoofing.
I. Principle:
Before getting started, let's take a look at the switch forwarding process: When a port of the switch receives a data frame, first check that the target MAC address of the modified data frame is on the port corresponding to the MAC address table (CAM, if the destination port and source port are not the same port, the frame is forwarded from the destination port, and the correspondence between the source port and the source MAC address in the MAC address table is updated; if the destination port is the same as the source port, the frame is discarded.
There are the following scenarios:
A four-port switch with ports Port. A, port. B, port. C, and port. D corresponds to host A, B, C, and D, where D is the gateway.
When host a sends data to host B, host a encapsulates data frames according to OSI. During the process, host a finds the MAC address of host B Based on the IP address and fills it with the target MAC address in the data frame. Before sending, the MAC Control Circuit of the NIC will make a judgment first. If the target Mac is the same as the MAC of the NIC, it will not be sent. Otherwise, the NIC will send the data. Port. when a receives a data frame, the switch finds in the MAC address table that the MAC address of B (the MAC address of the data frame) is port. b, and the data source port number is port. a, then the switch moves the data frame from the Port port. B forwarded. Host B receives the data frame.
This addressing process can also be summarized as IP-> Mac-> port. ARP spoofing spoofs the relationship between IP addresses and MAC addresses, mac spoofing spoofs the correspondence between MAC and port. The earlier attack method was the MAC address of the flood switch. This would indeed enable the switch to work in broadcast mode to achieve sniffing, but would cause heavy load on the switch, network slowness, packet loss, and even paralysis. We do not use this method.
Ii. Practice
The working environment is the above four swith ports. The software uses the httphijack of cncert as an example, and the application uses data of host a to hijack host C.
The following is the hijacking process (DA is the target Mac and SA is the source MAC)
1. A sends any da = gateway. Mac, SA = B. Mac data packets to the gateway.
This indicates that port. A corresponds to B. Mac. Within a period of time, the switch will send all data frames sent to B. Mac to host. This time continues until host B sends a data packet, or before another da = gateway. Mac, SA = B. Mac data packet is generated.
2. host a receives the data sent from the gateway to host B. After record or modification, it must be forwarded to host B. before forwarding
Send a request for B. Mac broadcast. This package is normal.
Mac information: da = ffffffffff, SA = A. Mac.
This data frame indicates the port. A corresponding to a. Mac, and will stimulate host B to respond to a response packet.
Mac information: da = A. Mac, SA = B. Mac
This data frame indicates the port. B corresponding to B. Mac.
So far, the relationship has been restored, and host a can forward the hijacked data to host B.
3. Forward the hijacked data to B to complete one hijacking.
Iii. Attack features
1. Because this attack method has the time segmentation feature, the larger the traffic of the other party, the lower the hijacking frequency and the more stable the network.
2. Strong concealment. Based on the particularity of 1 and the nature of work, it can work in the arpfirewall and two-way binding environment.
Iv. Protection
Advanced switches can be bound using IP + Mac + port to control automatic learning of Cam tables. No software can defend against such attacks.
5. Tools used
1. httphijack beta 2 Description: http session hijacking
2. ssclone Description: session replication software in the exchange environment (Gmail, qqmail, sohumail .....)
3. skiller Description: Traffic Control