1 ARP Protocol Overview
IP packets are usually sent over Ethernet, but Ethernet devices do not recognize 32-bit IP addresses. They transmit Ethernet packets at 48-bit Ethernet addresses. Therefore, the IP drive must convert the destination IP address to the destination IP address of the Ethernet network. There is a static or algorithm ing between the two addresses. You often need to view a table. Address Resolution Protocol (ARP) is the Protocol used to determine these mappings, which is located at the lower layer of the TCP/IP Protocol stack, designed by TCP/IP designers using the broadcast nature of Ethernet, the main feature and advantage is that its address ing is dynamic, obtain the corresponding IP address and MAC address in the query mode.
2. ARP Working Principle
2.1 ARP operation process
1) First, each host creates an ARP table in the ARP Cache to record the relationship between the IP address and the MAC address. Each piece of information in this Table will eventually disappear according to its survival time to ensure the authenticity of the information. 2) When the sending host has a packet to be sent to the target host and the IP address of the target host is obtained, the sending host first checks whether there is a MAC address corresponding to the IP address in its ARP table. If yes, use this address directly to send packets. If no, an ARP Request broadcast packet is sent to the network to query the MAC address of the target host. This packet contains the IP address and MAC address of the sender.
3) at this time, all hosts on the network will receive the broadcast packet, and check whether the IP field of the packet is consistent with its own IP address. If not, ignore it. If yes, update the MAC address and IP address of the sender to their ARP table. If the corresponding IP address already exists, then, the original IP address is overwritten with new information. Then, an ARP Reply packet is sent to the recipient to inform the sender of the host's MAC address. 4) after the sender receives the ARP Reply, it also updates its ARP table, and then it can be transferred with this record. 5) if the sender does not obtain ARP Reply, the query fails. 1 describes the ARP broadcast process.
2.2 The ARP table mentioned earlier in the ARP query process is established only after the TCP/IP protocol is loaded into the kernel. If the TCP/IP protocol is uninstalled or the machine is disabled, the table will be cleared. The table will be re-established when the next protocol is loaded or started, and an ARP broadcast will be sent to the network to tell other machines its current address, so that all machines can maintain the most accurate information.
However, the size of the ARP cache is limited. If the limit is exceeded, the more time the transition data is not used, the more data must be cleared to free up space for storing updated data. Therefore, when the machine receives the ARP equest packet, if the query object is not its own, it will not update its ARP table based on the sender's address information, but will ignore the packet completely. At the same time, each piece of data in the cache is not permanently saved: when each piece of data is updated, it is assigned a Survival Countdown value. If the last time is reached, this information will be cleared. However, if the data has been used before the countdown, the timing value will be assigned again.
Of course, ARP still has a mechanism to handle the situation where the ARP table data does not conform to the actual address data (for example, the address data update message of the target end is received before the current connection ends ); or the target host is too busy to answer ARP requests. 2.3 ARP packet format
ARP packets are encapsulated in the Ethernet frame header for transmission, as shown in Figure 2. It is the ARP packet header format.
2.4 ARP high-speed cache the key to efficient ARP operation is that each host has an ARP high-speed cache, which records the ing between the nearest Internet address and the hardware address, the survival time of each item in the cache is generally 20 minutes, And the start time starts from the time when it is created. We can use arp-a or show arp to display all content in the cache. Note: ARP cannot send broadcasts through IP Routers, so it cannot be used to determine the MAC address of the remote network device. When the target host is in a remote network, IP addresses use ARP to determine the MAC address of the default gateway (router) and send data packets to the default gateway. The router forwards data packets in its own way.
3 reverse ARP
Reverse ARP (RARP) is used to convert a physical address (MAC address) to a corresponding IP address. For example, when a diskless workstation is started, it cannot obtain its own IP Address Configuration information from its operating system. In this case, the diskless workstation can send a broadcast request to obtain its own IP address information, while the RARP server responds to the IP request message-allocating an unused IP address to the diskless workstation (by sending an RARP response packet ).
To a large extent, RARP has been replaced by BOOTP and DHCP. The improvement of the later two protocols on RARP can provide more information besides IP addresses, such as the IP address of the default gateway and DNS server.
The RARP Query Process First queries the host to send an RARP Request broadcast packet to the network and query its own IP address from other hosts. At this time, The RARP server on the network will send the IP address of the sender to the queryer using the RARP Reply packet. In this way, the host will get its own IP address. However, unlike ARP, after the query host sends the RARP Request packet, there may be more than one RARP Reply. Because there may be more than one RARP server on the Network (based on backup and sharing considerations, it is very likely to be designed in this way), all servers that receive RARP requests will try to respond to the query host by making RARP Reply. In this case, the network will be flooded with this RARP response, making it an additional load. At this time, we have two ways to solve the RARP response problem.
The first method is to allocate a master server to each host that initiates an RARP request. Normally, only the master server responds to RARP, other hosts only record the time when the RARP request was received. If the master server cannot respond smoothly, the query host sends the RARP request again in broadcast mode while waiting for the Failover, if other non-master servers receive the same request within a short time after receiving the first request, they will respond. The second method is similar: Normally, when the master server receives the RARP request, it will directly respond. To prevent all non-master servers from returning the RARP response at the same time, each non-master server will wait for a period of time to respond. If the master server fails to respond, the query host will be delayed for a period of time before the second request is made to ensure that the response from the non-master server is received during this period of time. Of course, designers can carefully design the delay time to a reasonable interval.
4 proxy ARP
Proxy arp is also called Promiscuous ARP (RFC 925, 1027) it is generally used by devices like routers to answer ARP requests from hosts in this network segment instead of hosts in another network segment.
The following is an application of proxy ARP. As shown in figure 5, host PC1 (192.168.20.66/24) needs to send packets to host PC2 (192.168.20.20/24, because the host PC1 does not know the existence of the subnet and is in the same network segment as the target host pc2. therefore, host PC1 sends an ARP request broadcast packet to the MAC address of 192.168.20.20. In this case, the router identifies the destination address of the report as another subnet (note that the IP address of the router interface is configured with a 28-bit mask). Therefore, the router returns its hardware address to the Request Host.
(0004. dd9e. cca0 ). Then, PC1 sends the packets sent to PC2 to the MAC address 0004. dd9e. cca0 (router interface E0/0), and the router forwards the packets to the target host pc2. (Next, the router will send data packets to pc2 ). This ARP makes the subnet network topology transparent to the host (or it can be said that the router spoofs the source host PC1 with an invalid PC2 MAC address ).
5 NO-reason ARP (free ARP)
Gratuitous ARP (GARP) ARP is also called Wuwei ARP. The host sometimes uses its own IP address as the target address to send ARP requests. This kind of ARP request is called ARP for no reason. GARP has two main purposes:
(1) Check the duplicate address (if an ARP response is received, the duplicate address exists ).
(2) advertise a new data link identifier. When a device receives an arp request and finds that there is an IP address of the sender in the arp buffer, It updates the MAC address entry of this IP address.
6. for example, the operation is performed in linux, and the Windows environment is basically the same. You can enter arp in the command window to directly query. basic command arp-a [ip-address]: displays the ARP ing table. If no IP address is specified in the arp-a command, all ARP ing tables are displayed by default. Arp-d ip-address: deletes the ARP ing.
Arp-s ip-address ether-address [temp]: adds an ARP ing. Ip-address is the ip address of the ARP ing, which is in dotted decimal format. Ether-address is the Ethernet MAC address of the ARP ing, in the format of XX-XX-XX-XX-XX-XX, where XX is the hexadecimal number. Temp indicates that the added ing item is temporary and valid for 20 ms. Otherwise, it will always be valid (optional) during the working hours of the router ). If the temp option is not specified When configuring static ing items, the default value is always valid. Note the differences between static arp entries and dynamic entries. In different systems, manual arp static entries are different. In linux and win2000, static entries are not changed because of forged arp response packets, but dynamic entries are changed. In win98, the manually set static entries will change because they receive forged arp response packets.
Generally, the ARP ing table is maintained by the dynamic ARP Protocol. In special cases, manual configuration is required. In addition, the ARP ing table is only used in the LAN. For Wan address resolution, there are other configuration or retrieval methods (such as Reverse Address Resolution for Frame Relay ). Clear arp-cache: clears the ARP ing table. In some cases, you need to clear and update the ARP ing table. You can use arp-d to delete the table one by one, or use the clear arp-cache command to clear the table one by one. Show arp: displays the ARP ing table.
7. in a network environment that implements TCP/IP protocol, ARP spoofing depends on the route table to define where an IP packet goes. However, when an IP packet arrives at the network, which machine responds to this IP packet is identified by the hardware mac address contained in this IP packet. That is to say, only machines with the same hardware mac address as the hardware mac address in the IP packet will respond to this IP packet, because in the network, each host will send an IP packet, therefore, there is an arp --> hardware mac conversion table in the memory of each host. Generally, before the host sends an IP packet, it needs to find the hardware mac address corresponding to the IP packet in the conversion table. If the IP packet is not found, the host sends an ARP broadcast packet, the host refreshes its ARP cache. Then the IP package is sent out.
Now we can talk about how to implement ARP spoofing In the Ethernet. 7.1 ARP spoofing in the same network segment.
, Three hosts A: IP address 192.168.0.1 hardware address AA: AA
B: IP address 192.168.0.2 hardware address BB: BB
C: IP address 192.168.0.3: CC: an intruder in host B wants to access host A illegally, but A firewall is installed on this host. By collecting information, he knew that the firewall of host A only had A trust relationship with host C (open port 23 (telnet )). But he must use telnet to access host A. What should he do at this time?
In this case, the attacker must make host A believe that host B is host C. If the trust relationship between host A and host C is built on the IP address. If the IP address of host B is changed to the same as that of host C, it cannot work, at least it cannot work reliably. If you tell the driver of the Ethernet card that your IP address is 192.168.0.3, This is a pure competition and cannot be achieved. We can first study the machine C. If we can temporarily drop the machine, the competition can be removed. This is still possible. When machine C fails, change the IP address of machine B to 192.168.0.3, and telnet to machine A through port 23, successfully bypassing the firewall restrictions.
The above idea is invalid in this case. If the trust relationship between host A and host C is based on the hardware address. In this case, host A needs to use ARP spoofing to change the hardware address mapped to 192.168.0.3 in its ARP cache to the hardware address of host B. we can manually create an arp_reply response packet and send it to the host to be spoofed. This is possible because the Protocol does not stipulate that the response packet can be sent only after arp_echo is received. there are many such tools. We can also use snifferpro to capture an arp response packet and then modify it. this package is also made artificially. You can specify the source IP address, target IP address, source MAC address, and target MAC address in the ARP packet. in this way, you can use A false ARP response packet to modify the dynamic ARP cache on host A for spoofing purposes.
The following is a specific step: He first studied the 192.0.0.3 host and discovered the vulnerability. 1) The host C is suspended for the moment based on the discovered vulnerabilities. 2) during this period, intruders changed their ip address to 220.127.116.11. He used a tool to send a source ip address 192.168.0.3, where the source MAC address is BB: the BB package is sent to host A and requires host A to update its arp conversion table.
4) The host updates the ip address of host C in the arp table --> mac ing. 5) if the firewall fails, the compromised ip address becomes a valid mac address, you can telnet the above ARP spoofing process, which occurs in the same network segment. However, note that when B and C are in different network segments, the above method does not work. 7.2 ARP spoofing for different network segments
As shown in the figure, A and C are in the same network segment while host B is in another network segment. The IP addresses and hardware addresses of the three machines are as follows: A: IP address 192.168.0.1 hardware address AA: AA: AA
B: IP address 192.168.1.2 hardware address BB: BB
C: IP address 192.168.0.3 hardware address CC: CC in this case, how does host B in the 192.168.1 segment impersonate host C and cheat host? Obviously, even if spoofing succeeds, the telnet session cannot be established between host B and host A, because the router will not forward the packet from host A to host B, the router will find the address at 192.168.0. within this CIDR block.
Now, another spoofing method-ICMP redirection is involved. The combination of ARP spoofing and ICMP redirection can basically achieve the goal of cross-network segment spoofing. ICMP redirection is one of the ICMP control packets. Under certain circumstances, when a router detects that a machine uses a non-optimized route, it will send an ICMP redirection packet to the host and request the host to change the route. The vro will also forward the initial data to its destination. We can use ICMP redirection packets for spoofing purposes.
The following are the steps for combining ARP spoofing and ICMP redirection attacks: 1) in order to make your illegal IP packets survive on the network for a long time, starting to modify the ttl of an IP package prepares for possible problems in the following process. Change ttl to 255. (ttl defines the time for an IP packet to survive on the network if it cannot reach the host on the network. In this example, it is helpful to make enough broadcasts.) 2) download a tool (for example, hping2) that allows you to create various packages. 3) Search for the vulnerability of host C as shown in the preceding figure.
4) after the host on the network cannot find the original 192.0.0.3, the corresponding ARP table will be updated. So he sent an ARP response packet whose original IP address is 192.168.0.3 and its hardware address is BB: BB. 5) Now every host knows that a new MAC address corresponds to 192.0.0.3, and an ARP spoofing is completed. However, each host will only find this address in the LAN and will not throw the IP packet sent to 192.0.0.3 to the route. So he has to construct an ICMP redirection broadcast. 6) customize an ICMP redirection package to tell the host in the network that the shortest route to 192.0.0.3 is not a LAN, but a route. Please redirect the host to your route path, all IP packets destined for 192.0.0.3 are dropped to the route.
7) host A accepts this reasonable ICMP redirection. Therefore, it modifies its route path and throws communication on 192.0.0.3 to the vro. 8) intruders can finally. after receiving an IP packet from the host inside the route, he can start to telnet to the host's 23 ports. In fact, the above idea is just an idealized situation, there are actually many restrictions on the ICMP redirection packets that the host permits to receive. These conditions make ICMP redirection very difficult.
In TCP/IP protocol implementation, there are several restrictions on the receipt of ICMP redirection packets by the Host: 1) the new route must go directly to 2) The redirection packet must come from the current route of the consortium Destination 3) the redirection package cannot notify the host to use its own route 4) the changed route must be an indirect route because of these restrictions, so it is difficult to implement ICMP spoofing.
7.3 ARP spoofing defense knows the methods and harms of ARP spoofing. We provide some preliminary defense methods: 1) do not establish security trust on the ip address or mac address (RARP also has a spoofing problem). The ideal relationship should be ip + mac; 2) set static mac-> ip ing. Do not refresh the configured arp conversion table on the host. 3) Stop using arp and save arp as a permanent entry in the corresponding table. in linux, ifconfig-arp can be used to disable the NIC Driver arp.4) use the Proxy gateway to send upstream data. 5) modify the system configuration to reject ICMP redirection packets. in linux, You can reject ICMP redirection packets on the firewall or modify the kernel option to re-compile the kernel to reject ICMP redirection packets. in win2000, ICMP packets can be rejected through firewall and IP policy.