The principle, combat and defense of--arp deception in man-in-the-middle attack

? 1.1 What is a gateway

First of all, to explain what a gateway is, the gateway works in the OSI seven layer model of the transport layer or application layer, for the connection between the different networks of the high-level protocol, simply speaking, the gateway is like a room to another room door.

　　What is the 1.2 arp protocol?

ARP (address Resolution Protocol) addresses translation protocol, which works on the data link layer of the OSI model, in Ethernet, where network devices communicate with each other using a MAC address instead of an IP address, the ARP protocol is used to convert the IP address to the MAC address. Instead of Rarp and ARP, it is the reverse address Translation protocol, which translates the MAC address into an IP address.

Suppose a (192.168.1.2) and B (192.168.1.3) are on the same LAN, A is communicating with B. A packet is sent to the broadcast address (192.168.1.255), which contains the source IP (A), the source Mac, the destination IP (b), the destination Mac, this packet will be issued to all the hosts on the LAN, but only B main opportunity to reply to a containing the source IP (B), Source Mac, Destination IP (A), destination Mac packet to a, and a master opportunity to store the returned address in the ARP cache table.

　　1.3 ARP Spoofing principle

The above mentioned the ARP cache table, each host has an ARP cache table, the cache table records the IP address and the MAC address of the corresponding relationship, and LAN data transmission depends on the MAC address.

Assume host A 192.168.1.2,b 192.168.1.3,c 192.168.1.4; Gateway G 192.168.1.1; On the same LAN, hosts A and B communicate with each other through Gateway G, just like A and b two people write letters, sent by the Postman G, C will never know what words between A and B say. But it is not as safe as imagined, there is a flaw in the ARP cache table mechanism, that is, when the request host receives the ARP reply packet, it does not verify that it has sent the ARP request packet to the other host, and then saves the corresponding relationship between the IP address and the MAC address in the return packet to the ARP cache table. If the same IP corresponds to the original, the original will be replaced.

So C has the possibility of eavesdropping on a and B conversations, and continue to consider the example above:

C posing as a postman, first to tell a said: "I Am The Postman" (c host to a send a structured return package, the source IP is G 192.168.1.1, the source Mac for the C own MAC address), stupid a very easy to believe, directly the "C is the postman" This information in the brain;

C again disguised as a, told the postman: "I Am a" (C to the gateway G send a structured return package, the source IP is a 192.168.1.2, the source MAC address for their MAC address), IQ catch the postman want to believe not to think, after the letter sent to C B, C Of course you can tell what's been talking about between A and B.

The ABCG story above is the principle of ARP bidirectional deception.

ARP one-way spoofing better understand, C only send a return packet to a, tell A:g 192.168.1.1 MAC address is 5c-63-bf-79-1d-fa (an incorrect MAC address), A to record this information in the cache table, and G's cache table is unchanged, that is, A packet to C, and g of the package is still given a, this is the ARP one-way spoofing.

　　2.1 Real-Combat ARP spoofing

ARP spoofing is also known as ARP poisoning, is a middle-man attack, I use a virtual machine to simulate the whole process of ARP spoofing

First, take a look at

A record of the gateway IP and MAC address already exists by default in the ARP cache table

Take a look at the ARP cache table for the target host

Destination IP vs. native IP

Before the ARP spoofing must be turned on IP forwarding, or when the cheat succeeds, the target opportunity to break the net, this will be detected by the other side

Sysctl-w net.ipv4.ip_forward=1 or echo 1 >/proc/sys/net/ipv4/ip_forward

IP forwarding has been successfully turned on

Send a return package to the target 192.168.124.133 containing the contents:

SOURCE ip:192.168.124.2

SOURCE mac:00:0c:29:86:a1:04

Now look at the target host ARP cache

It can be seen that the target host ARP cache has changed, the Mac of the Gateway (192.168.124.2) recorded in the cache table has become the attacker's Mac

The above is a simple ARP spoofing

　　2.2 The harm of ARP spoofing

Host communication between LAN will be affected, if it is a gateway spoofing, the Internet will also be affected

Hackers use ARP spoofing to steal user-sensitive information, hang horses, etc.

Here I'm simply demonstrating the ARP spoofing sniffer telnet account password

　　3 How to prevent ARP spoofing

1. On the host binding gateway Mac with IP address static (default is dynamic), command: arp-s gateway IP Gateway Mac

2. On the gateway-bound host Mac and IP address

3. Using the ARP Firewall

This article is provided by I spring and Autumn College, the original address: http://bbs.ichunqiu.com/forum.php?mod=viewthread&tid= 1739&highlight= anti- From=bky

The principle, combat and defense of--arp deception in man-in-the-middle attack