Traffic Tricks

COVER STORY ARP Spoofing

ARP spoofing and poisoning TRAFFIC TRICKS www.sxc.hu

Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in. BY THOMAS DEMUTH, ACHIM LEITNER

uriousity, revenge, industrial position to sniff and manipulate local maps IP addresses to MAC addresses. If espionage are all reasons why traffic. So-called man-in-the-middle client C needs to send a packet to server Cinsiders attack systems on their attacks are easy to perform, and thanks S, it needs to know the MAC address of S own network. Statistics show that 70 to to sophisticated software, even attackers if both machines are on the same sub- 80 percent of all attacks originate on the with little knowledge of networking net. Even if S resides in a different net- internal network [1]. Admins have a stand a good chance of succeeding. work, C still needs a MAC address – in hard time preventing these internal this case, the address of the next router attacks because protecting the internal How ARP Works that will forward the packet. The router network is a lot more difficult than pro- The ARP protocol was published in takes care of everything else. tecting against external attack. November 1982 by David C. Plummer as To ascertain the MAC address, C One of the most formidable forms of RFC 826 [2]. As IT security was not an broadcasts an ARP request to all the internal attack is known as ARP spoof- important factor back in 1982, the aim machines on the local network, asking ing. ARP spoofing puts an attacker in a was simply to provide functionality. ARP “Who has the IP address a.b.c.d?” The computer with the matching number ARP-Request: ARP-Reply: replies and tells the client its MAC Server S Server S Who has a.b.c.d? a.b.c.d u:v:w:x:y:z has a.b.c.d a.b.c.d address (Figure 1). As shown in Figure 2, an ARP packet is carried as the payload in an Ethernet frame. To allow this to happen, a value of 0x8006 is set in the frame header type Client C Client C field – this tells the target to expect an ARP packet. As it would be far too expensive to broadcast an ARP request and wait for Figure 1: The client uses ARP to ascertain the MAC address of the server on the LAN before the response before sending data, each sending a packet to that server. The “Who has…” request is broadcast to all machines on the IP stack has an ARP table, also known as LAN. The node with the requested address responds directly to the querying machine. an ARP cache (Figure 3). The cache con-

26 ISSUE 56 JULY 2005 WWW.LINUX - MAGAZINE.COM ARP Spoofing COVER STORY

tains a table with IP addresses and corre- this point onward, the switch will Ethernet Frame: sponding MAC addresses. The table can not accept any other source MAC DA (Ethernet Destination Address) hold static entries (i.e., those generated address on the mapped port. This SA (Ethernet Source Address) by the user) and dynamic entries (those mechanism is effective against T (Type Field) ARP Packet: learned from the ARP protocol). MAC spoofing attacks. On the PAY (Payload) HT (Hardware Type) Dynamic entries are often valid for a downside, admins need to recon- PT (Protocol Type) short period only, typically just a few figure the switch whenever they HAL (Hardware Address Length) minutes. change the network. PAL (Protocol Address Length) Port security can also protect OP (Operation) Addressing Attacks on the your network against another SHA (Sender Hardware Address) LAN kind of attack. MAC flooding SPA (Sender Protocol Address) As ARP makes no attempt to protect attacks are designed to take down THA (Target Hardware Address) itself against spoofed packets, it is vul- a switch’s port security mappings. TPA (Target Protocol Address) nerable to a series of attacks. The most In contrast to hubs, switches use PAD (Pad Bytes) common types are MAC spoofing, MAC CAM (Content Addressable Mem- FCS (Frame Check Sequence) flooding, and ARP spoofing. ory) tables, which specify the port MAC spoofing involves the attacker behind each active MAC address Figure 2: An ARP packet is transmitted as the pay- using a spoofed MAC source address. on the switch. The switch will load of the Ethernet frame. The fields with the type This technique makes sense if privileges only send packets via the port that and length of the addresses in each packet are fol- are linked to a MAC address. Many leads to the target machine. lowed by the source and target data. WLAN (Wireless LAN) operators put the Attackers can disable this func- MAC addresses of authorized users in an tion by flooding the switch with that aims to manipulate (poison) the access control list. This is a weak secu- addresses – the CAM table can only hold ARP tables on other machines. rity measure that is easy to avoid. The a limited number of entries. If the attack As operating systems tend not to attacker only needs to know and spoof a succeeds, the switch is reduced to work- check if an ARP reply really is the privileged address while the machine ing like a hub, and that makes communi- answer to an ARP request sent previ- used by the legitimate user with this cation visible across all ports. ously, the address information from the address is down. MAC spoofing is useful reply is cached. On Windows systems for attackers who want to protect their ARP Table Poisoning attackers can even modify entries explic- identity. The third attack is not as easy to detect, itly declared as static by users. There is a good way of preventing this and there are no simple countermea- Doing so allows an attacker to monitor on wired networks: many switches sures. The attack is based on ARP spoof- the dialog between a client and a server, enable port security. The switch only ing, where the attacker deliberately and, as the man in the middle, to manip- learns each MAC address once, and then transmits fake ARP packets. ARP poison- ulate that dialog. The man in the middle stores this address permanently. From ing is a specific type of ARP spoofing manipulates the server entry in the

Adresses on the LAN: Basics If two computers on a network want to Content Addressable Memory). This addresses, the LAN continues to use talk, they need a way of identifying each allows these devices to transmit packets only MAC addresses. But it would be other uniquely. Ethernet uses a 48-bit (6 only to the segment where the recipient inconvenient for each program to need byte) number, which is assigned by the lives. Within each segment, network to know both the IP address and the manufacturer. The so-called MAC nodes can send each other packets with- MAC address. This is where ARP address (Media Access Control) is out interfering with communications in (Address Resolution Protocol) can help unique world wide. This allows users to other segments. by providing the matching MAC address add (more or less) as many Ethernet This principle is unsuitable for a world for an IP address. The admin does not adapters as they like to a LAN. Without wide network. Each switch needs to need to configure this – that is, there is switches or bridges Ethernet uses broad- know the whereabouts of each target no need to set up matching pairs of IP/ casting; that is, every packet on the wire machine. To handle this, the founders of MAC addresses. On the downside, auto- is sent to every node on the network seg- the Internet introduced an addressing mation leads to a big security issue, ment. But only the intended recipient will scheme based on IP addresses. The IP which we will be discussing in more actually accept the packet, whereas all address has a length of 32 bits (4 bytes) detail in this article. other nodes will ignore it. and comprises a network and a host sec- Besides ARP, there is also RARP (Reverse This approach is amazingly easy, but it tion. The network mask tells you which ARP, [3]). In a similar way to DHCP, a does not scale well. Everyone attached part of the address refers to the network RARP server assigns an IP address to a to the shared medium shares the trans- and which part identifies the host. machine based on knowledge of that mission bandwidth. Bridges and The individual networks that make up machine’s MAC address. As RARP does switches mitigate the situation by divid- the Internet are connected by routers. not pass any other parameters (name ing the network into multiple segments Routers only need to know network server, gateway address, network mask), and learning which MAC addresses are addresses to send packets in the right it is very rarely used nowadays. available via which ports (CAM table, direction. While routing relies on IP

WWW.LINUX - MAGAZINE.COM ISSUE 56 JULY 2005 27 COVER STORY ARP Spoofing

tations for SSL (Secure nection. HTTP, HTTPS, FTP, and Socket Layer), TLS email make it easy for an attacker to (Transport Layer Secu- smuggle malware onto the internal rity), SSH (Secure network. Admins would also need to Figure 3: The ARP table on a Linux system with one incomplete Shell), or PPTP (Point outlaw the use of removable media such entry, one static entry, and two dynamic entries (Flag C: com- to Point Tunneling Pro- as floppies or CDs, as well as mobile plete, M: static). tocol). devices such as notebooks or PDAs. On accessing the SSL Due to the serious usability restrictions, client’s ARP cache, making the client web server, the browser warns the user this solution is typically impracticable. believe that the attacker’s own MAC that something is wrong with the certifi- If you use Linux on your internal address is actually the server address. cate for this connection. But many users network and do not allow your users The same trick is also played on the do not understand the significance of the root privileges, you can avoid most server. warning and just ignore it. The fact that attacks from the outset: users need If the client wants to talk to the server, many web servers use a self generated or root privileges to send spoofed ARP it will check its poisoned ARP table and elapsed certificate means that the warn- packets. However, as an admin, you send the packet to the attacker’s MAC ing is quite familiar to users; in fact, it have no real way of preventing users address. This allows the attacker to read just tends to provoke a click and ignore from booting their machines from and modify the packet before forwarding effect. A bug in some Internet Explorer CD or attaching their laptops to the it to the server. The server then assumes versions makes it possible to attack SSL network. that the packet was sent directly by the connections without the browser even Static ARP entries can help to prevent client. The server reply again goes to the displaying a warning. ARP attacks, but most admins will want attacker, who forwards it to the client. If The attack on SSH follows a similar to avoid the enormous effort involved in the server resides on a different subnet, pattern (Figure 4). If the client already manually assigning addresses for all but the attacker can simply launch the attack knows the server-side host key, it will the most critical machines (routers and against the router. issue a clear warning (Figure 5). But servers). And Microsoft operating sys- Of course, it goes without saying that many users and admins will still ignore tems allow attackers to poison even an attacker could cause a denial of ser- the warning, assuming that someone has manually assigned ARP entries, remov- vice by simply discarding any re-routed changed the SSH key on the server. Few ing any protection this might give you. packets. To manipulate data, the attacker protocols or implementations are This approach only makes sense in simply needs to forward different data immune. (IPsec is one exception. IPsec small networks, as the number of ARP than he or she receives. Attackers can refuses to work if something goes wrong entries grows proportionally to the trivially collect passwords, as the port with the authentication process.) square on the number of network adapt- number will allow them to guess the Because of this problem, almost any ers. In other words, you would need protocol used and identify the user kind of internal communication is vul- 9900 entries for a hundred systems (99 credentials based on this knowledge. nerable. There are even script kiddie for each system). This involves enor- tools that can grab passwords for over 50 mous administrative effort, especially if Caution even with SSL and protocols. As these attacks run at ARP you need to troubleshoot problems on SSH level and typically only IP access is the network. Encrypted connections are not automati- logged, today’s attackers can feel quite cally immune, as various ARP tools safe that nobody will notice what they Keeping a Watchful Eye demonstrate. These programs are now are up to. Arpwatch [4] is an open source tool for available for various operating systems Unix platforms that monitors unusual (see the box titled “ARP Exploit Tools”). Preventing ARP Attacks ARP activities. The computer running Besides ARP poisoning functionality, One approach for preventing ARP Arpwatch reads the address information they include client and server implemen- attacks would be to prevent download- stored in each ARP packet that it sees ing and exe- and stores this information in a data- cution of base. If the data fails to match previously external soft- stored entries, Arpwatch mails an alert ware, to the administrator. The authors claim although this that the tool supports SNMP, although rule is we were unable to confirm this in our extremely dif- lab. ficult to Today, many networks use dynamic IP enforce. addresses assigned by DHCP (Dynamic Admins Host Configuration Protocol). In this Figure 4: Ettercap waiting for a connection between 192.168.1.120 add would need kind of environment, Arpwatch will 192.168.1.124 (source and destination, top left). The tool can trivially sniff to restrict the return large numbers of false positives as telnet and FTP. It uses a man in the middle attack on SSHv1 to decrypt the use of the it notifies users of any changed IP/MAC connection. Internet con- mappings.

28 ISSUE 56 JULY 2005 WWW.LINUX - MAGAZINE.COM ARP Spoofing COVER STORY

ARP-Guard has staff. The usefulness of this approach is LAN and SNMP also questionable, as many IDS systems sensors. The LAN simply ignore the ARP protocol. And sensor works just finally, the whole system would collapse like Arpwatch or faced with ARP poisoning attacks in any IDS system, combination with dynamically assigned analyzing any ARP IP addresses. packets that the sensor sees. In con- Cryptography Can Help Figure 5: During the Ettercap attack (Figure 4), the client (odo in trast to this, the Wherever cryptographic protocols (IPsec this case) receives a fake host key from the server. The key is from SNMP sensor uses above all) ensure the confidentiality, the attacker and not from the requested server (bashir). If the user SNMP to connect to authenticity and integrity of data, ARP chooses to ignore the warning, the connection can be sniffed. existing devices and attacks are reduced to mere denial of query their ARP service attacks. Any attempt to sniff or ARP-Guard [5], a fairly new product tables. manipulate data will fail. However, it by ISL, works within the framework of a Intrusion Detection Systems (see the may be a long while before IPsec and sensor management architecture. Multi- box titled “Snort and ARP”) are also other crypto-protocols are set up and ple sensors monitor ARP information capable of detecting ARP attacks, but correctly configured on internal net- and forward this information to the man- these systems are more typically works. agement system, which analyzes mes- deployed at network borders. For many One group or researchers suggests sages and alerts administrators in case of businesses, it is simply not worth replacing ARP with a more secure ver- an attack. The architecture means that deploying an IDS on the internal net- sion [7]. S-ARP relies on cryptography, a ARP-Guard will scale well from small to work. Additionally, employees might CA (Certifcation Authority), and digitally large networks, and the web-based man- resent the IDS system administrator signed ARP messages. However, it is agement interface is something that playing Big Brother on the network. The questionable whether the effort is really command-line challenged admins will administrator can see all the traffic on worthwhile: IPsec provides far more pro- appreciate. the network and thus monitor access by tection with a similar overhead, whereas

WWW.LINUX - MAGAZINE.COM ISSUE 56 JULY 2005 29 COVER STORY ARP Spoofing

S-ARP only protects ARP. The only thing number of users to each subnet can help change the entry if the request to the S-ARP has going in its favor is that it to limit exposure to ARP attacks. Man- previous address is not answered. Again, means less CPU load on the systems. ageable switches, which allow adminis- this approach does not give you any real trators to manage network traffic, give protection against sabotage. The attacker Other Prevention protection against ARP attacks and serve simply needs to ensure that the attack Techniques as a boon to traffic management as well. occurs when the machine with the previ- Some firewalls and router manufacturers On the downside, a manageable switch ous MAC address is down or unreach- maintain that their products are capable is expensive, adds administrative over- able. In the case of many high availabil- of detecting ARP spoofing attacks, but head, and may have the effect of break- ity or load balancing solutions, the patch this is not strictly true as these systems ing some applications. can actually cause communication to can only detect and log modifications to Some developers attempt to add pro- these systems to fail. their own ARP tables and have no way tection to the IP stack on the terminal Another approach to protecting your- of knowing whether the change has a devices. The Antidote patch [8] tells a self against ARP poisoning is to prevent legitimate cause. Linux machine to send a request to the reassignment of existing MAC-IP map- Dividing the network into a large previous MAC address before changing pings. The Anticap patch [9] implements number of subnets and assigning a small an ARP entry. The machine will only this behavior for Linux, FreeBSD, and NetBSD. Solaris has a similar option, ARP Exploit Tools which requires a timer to expire before Following are some programs that allow oxid. it/ cain. html applying a change. This behavior is freely configurable, however, a solution attackers to exploit ARP vulnerabilities. Dsniff: The individual programs in this Admins can use these tools to test their suite of tools fulfill various tasks. Dsniff, such as the Anticap patch only protects own networks. The tools are quite useful Filesnarf, Mailsnarf, Msgsnarf, Urlsnarf systems that are permanently up – for demonstrating the severity of ARP and Webspy sniff the network and grab attackers would have no trouble spoof- attacks. The real security problem, of interesting data (such as passwords, email ing new entries once the cached entries course, is not the fact these tools exist, and files). Arpspoof, Dnsspoof, and Macof expire. but that ARP is inherently insecure. allow admins and attackers to access data Linux with kernel 2.4 or newer no lon- ARP-SK: The programmers describe that a switch would normally protect. Ssh- ger reacts to unsolicited ARP replies. their tool as the Swiss Army Knife for mitm and Webmitm support man in the Unfortunately, this mechanism is easy to ARP; it is available in Unix and Windows middle attacks on SSH and HTTPS circumvent, as the Ettercap readme file versions. The program can manipulate (although the author refers to them as explains. The kernel always has to pro- ARP tables on various devices. http:// Monkey in the Middle attacks). http:// cess ARP requests. As the kernel is www. arp-sk. org naughty. monkey. org/ ~dugsong/ dsniff/ passed a combination of IP address and Arpoc and WCI: This program for Unix Ettercap: An extremely powerful pro- MAC address (for the source), it proac- and Windows performs a man in the gram with a sharp text-based interface tively adds this data to its ARP cache. So middle attack on a LAN. It replies to each (see Figure 4); the latest version also has ARP request that reaches the machine a Gtk interface. Actions are performed the attacker only needs to send a with a spoofed ARP replay and forwards automatically, with the tool listing poten- spoofed ARP request. Ettercap sends a any packets for non-local delivery to the tial targets in a window. Besides Sniffing, combined ARP request and reply, and appropriate router. http:// www. phenoelit. ARP attacks, and automatic password de/ arpoc/ grabbing, Ettercap can also manipulate INFO data within a connection. The program Arpoison: A command line tool that cre- [1] KPMG survey: http:// www. kpmg. com/ also attacks SSHv1 and SSL connections ates spoof ARP packets. The user can spec- about/ press. asp?cid=469 ify the source and target IP/ MAC (again using man in the middle tech- [2] Address Resolution Protocol, RFC addresses. http:// arpoison. sourceforge. net niques). http:// ettercap. sourceforge. net 826: http:// www. ietf. org/ rfc/ rfc826. txt Brian: This extremely simple tool (com- Hunt: Gatecrashes connections, sniffs [3] Reverse APR, RFC 903: prising a single C file) uses ARP poison- data, and hijacks sessions. The tool uses http:// www. ietf. org/ rfc/ rfc903. txt ing to disable switching on a LAN. This ARP spoofing and other techniques. http:// [4] Arpwatch: http:// www-nrg. ee. lbl. gov allows an attacker to sniff all the traffic packetstormsecurity. nl/ sniffers/ hunt/ und http:// www. securityfocus. com/ on the network. http:// www. Juggernaut: In 1997, Phrack Magazine tools/ 142 bournemouthbynight. co. uk/ tools/ published Juggernaut, a predecessor to [5] ARP-Guard: Cain & Abel: This sophisticated Win- many of today’s sniffers with ARP cache https:// www. arp-guard. com dows software started life as a password poisoning capabilities. http:// www. recovery tool. It sniffs the network and phrack. org/ show. php?p=50&a=6 [6] Snort: http:// www. snort. org uses a variety of techniques to decipher Parasite: The Parasite daemon sniffs the [7] Secure ARP: http:// security. dico. unimi. encrypted and obfuscated passwords. LAN and responds to ARP requests with it/ research. en. html#sarpd and http:// Version 2.5 of the tool was the first to spoofed ARP replies. The tool gradually www. acsac. org/ 2003/ papers/ 111. pdf introduce ARP poisoning, which allows allows the host machine to establish [8] Antidote patch: http:// www. the attacker to sniff IP traffic off a itself as a man in the middle for any securityfocus. com/ archive/ 1/ 299929 switched LAN. The program attacks SSH communications on the LAN. http:// and HTTPS connections. http:// www. www. thc. org/ releases. php [9] Anticap patch: http:// cvs. antifork. org/ cvsweb. cgi/ anticap/

30 ISSUE 56 JULY 2005 WWW.LINUX - MAGAZINE.COM ARP Spoofing COVER STORY

any system will respond to one of these wins the race and the attacker’s address cialized ARP manipulation sensors to techniques. is added to the ARP table. detect most manipulation attempts. To Protection built into the IP stack is be completely secure, you need to powerless to prevent ARP spoofing. If an No Protection deploy IPsec consistently on your net- attacker responds to an ARP request Today’s techniques can’t give you com- work. Ignoring the issue is not a good more quickly than the machine to which plete protection against ARP attacks, but option unless you can genuinely trust the request is addressed, the attacker you can arm yourself with IDS and spe- every user with access to your LAN. ■

Snort and ARP Snort [6] is a prominent example of a formed. If one of these address pairs • Snort checks all ARP packets based on network IDS. The Intrusion Detection does not match, Snort issues a warn- a list of IP addresses and MAC System helps administrators detect ing. Again, this will not detect ARP poi- addresses supplied by the administra- attacks on the network at an early stage soning, although it does catch Proxy tor. If the source IP address is on the so they can launch countermeasures. ARP – on the other hand, this tech- list, the IDS will read the correspond- Snort has an Arpspoof preprocessor nique is typically legitimate and ing MAC address from the list and with four detection mechanisms: involves one machine answering ARP compare it with the source MAC • For each ARP request it detects, the requests on behalf of another address from the ARP packet and Eth- Arpspoof preprocessor validates the machine. ernet frame. In case of discrepancy, source address in the Ethernet frame • The system alerts on ARP requests Snort issues a warning. This mecha- against the source address in the ARP that are sent to unicast addresses nism is only useful for small networks, packet. If these two addresses do not rather than broadcast. Although this as the configuration effort is too high match, it issues a warning. ARP poi- behavior does not comply with the in any other case. There is no way to soning does not imply using different (now 20 year old) standard, there are use this functionality sensibly when addresses in these fields, which good reasons for it. However, a genu- faced with dynamic IP address assign- means that the attack would go unno- ine ARP attack does not need to uni- ments (DHCP). ticed. cast ARP requests, so again, this In other words, Snort’s ability to detect • For ARP replies, a comparison of the mechanism would fail to detect an ARP poisoning is limited, as is the case source and target addresses is per- ARP poisoning attack. for all Intrusion Detection Systems.