Traffic Tricks

Traffic Tricks

COVER STORY ARP Spoofing ARP spoofing and poisoning TRAFFIC TRICKS www.sxc.hu Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in. BY THOMAS DEMUTH, ACHIM LEITNER uriousity, revenge, industrial position to sniff and manipulate local maps IP addresses to MAC addresses. If espionage are all reasons why traffic. So-called man-in-the-middle client C needs to send a packet to server Cinsiders attack systems on their attacks are easy to perform, and thanks S, it needs to know the MAC address of S own network. Statistics show that 70 to to sophisticated software, even attackers if both machines are on the same sub- 80 percent of all attacks originate on the with little knowledge of networking net. Even if S resides in a different net- internal network [1]. Admins have a stand a good chance of succeeding. work, C still needs a MAC address – in hard time preventing these internal this case, the address of the next router attacks because protecting the internal How ARP Works that will forward the packet. The router network is a lot more difficult than pro- The ARP protocol was published in takes care of everything else. tecting against external attack. November 1982 by David C. Plummer as To ascertain the MAC address, C One of the most formidable forms of RFC 826 [2]. As IT security was not an broadcasts an ARP request to all the internal attack is known as ARP spoof- important factor back in 1982, the aim machines on the local network, asking ing. ARP spoofing puts an attacker in a was simply to provide functionality. ARP “Who has the IP address a.b.c.d?” The computer with the matching number ARP-Request: ARP-Reply: replies and tells the client its MAC Server S Server S Who has a.b.c.d? a.b.c.d u:v:w:x:y:z has a.b.c.d a.b.c.d address (Figure 1). As shown in Figure 2, an ARP packet is carried as the payload in an Ethernet frame. To allow this to happen, a value of 0x8006 is set in the frame header type Client C Client C field – this tells the target to expect an ARP packet. As it would be far too expensive to broadcast an ARP request and wait for Figure 1: The client uses ARP to ascertain the MAC address of the server on the LAN before the response before sending data, each sending a packet to that server. The “Who has…” request is broadcast to all machines on the IP stack has an ARP table, also known as LAN. The node with the requested address responds directly to the querying machine. an ARP cache (Figure 3). The cache con- 26 ISSUE 56 JULY 2005 WWW.LINUX - MAGAZINE.COM ARP Spoofing COVER STORY tains a table with IP addresses and corre- this point onward, the switch will Ethernet Frame: sponding MAC addresses. The table can not accept any other source MAC DA (Ethernet Destination Address) hold static entries (i.e., those generated address on the mapped port. This SA (Ethernet Source Address) by the user) and dynamic entries (those mechanism is effective against T (Type Field) ARP Packet: learned from the ARP protocol). MAC spoofing attacks. On the PAY (Payload) HT (Hardware Type) Dynamic entries are often valid for a downside, admins need to recon- PT (Protocol Type) short period only, typically just a few figure the switch whenever they HAL (Hardware Address Length) minutes. change the network. PAL (Protocol Address Length) Port security can also protect OP (Operation) Addressing Attacks on the your network against another SHA (Sender Hardware Address) LAN kind of attack. MAC flooding SPA (Sender Protocol Address) As ARP makes no attempt to protect attacks are designed to take down THA (Target Hardware Address) itself against spoofed packets, it is vul- a switch’s port security mappings. TPA (Target Protocol Address) nerable to a series of attacks. The most In contrast to hubs, switches use PAD (Pad Bytes) common types are MAC spoofing, MAC CAM (Content Addressable Mem- FCS (Frame Check Sequence) flooding, and ARP spoofing. ory) tables, which specify the port MAC spoofing involves the attacker behind each active MAC address Figure 2: An ARP packet is transmitted as the pay- using a spoofed MAC source address. on the switch. The switch will load of the Ethernet frame. The fields with the type This technique makes sense if privileges only send packets via the port that and length of the addresses in each packet are fol- are linked to a MAC address. Many leads to the target machine. lowed by the source and target data. WLAN (Wireless LAN) operators put the Attackers can disable this func- MAC addresses of authorized users in an tion by flooding the switch with that aims to manipulate (poison) the access control list. This is a weak secu- addresses – the CAM table can only hold ARP tables on other machines. rity measure that is easy to avoid. The a limited number of entries. If the attack As operating systems tend not to attacker only needs to know and spoof a succeeds, the switch is reduced to work- check if an ARP reply really is the privileged address while the machine ing like a hub, and that makes communi- answer to an ARP request sent previ- used by the legitimate user with this cation visible across all ports. ously, the address information from the address is down. MAC spoofing is useful reply is cached. On Windows systems for attackers who want to protect their ARP Table Poisoning attackers can even modify entries explic- identity. The third attack is not as easy to detect, itly declared as static by users. There is a good way of preventing this and there are no simple countermea- Doing so allows an attacker to monitor on wired networks: many switches sures. The attack is based on ARP spoof- the dialog between a client and a server, enable port security. The switch only ing, where the attacker deliberately and, as the man in the middle, to manip- learns each MAC address once, and then transmits fake ARP packets. ARP poison- ulate that dialog. The man in the middle stores this address permanently. From ing is a specific type of ARP spoofing manipulates the server entry in the Adresses on the LAN: Basics If two computers on a network want to Content Addressable Memory). This addresses, the LAN continues to use talk, they need a way of identifying each allows these devices to transmit packets only MAC addresses. But it would be other uniquely. Ethernet uses a 48-bit (6 only to the segment where the recipient inconvenient for each program to need byte) number, which is assigned by the lives. Within each segment, network to know both the IP address and the manufacturer. The so-called MAC nodes can send each other packets with- MAC address. This is where ARP address (Media Access Control) is out interfering with communications in (Address Resolution Protocol) can help unique world wide. This allows users to other segments. by providing the matching MAC address add (more or less) as many Ethernet This principle is unsuitable for a world for an IP address. The admin does not adapters as they like to a LAN. Without wide network. Each switch needs to need to configure this – that is, there is switches or bridges Ethernet uses broad- know the whereabouts of each target no need to set up matching pairs of IP/ casting; that is, every packet on the wire machine. To handle this, the founders of MAC addresses. On the downside, auto- is sent to every node on the network seg- the Internet introduced an addressing mation leads to a big security issue, ment. But only the intended recipient will scheme based on IP addresses. The IP which we will be discussing in more actually accept the packet, whereas all address has a length of 32 bits (4 bytes) detail in this article. other nodes will ignore it. and comprises a network and a host sec- Besides ARP, there is also RARP (Reverse This approach is amazingly easy, but it tion. The network mask tells you which ARP, [3]). In a similar way to DHCP, a does not scale well. Everyone attached part of the address refers to the network RARP server assigns an IP address to a to the shared medium shares the trans- and which part identifies the host. machine based on knowledge of that mission bandwidth. Bridges and The individual networks that make up machine’s MAC address. As RARP does switches mitigate the situation by divid- the Internet are connected by routers. not pass any other parameters (name ing the network into multiple segments Routers only need to know network server, gateway address, network mask), and learning which MAC addresses are addresses to send packets in the right it is very rarely used nowadays. available via which ports (CAM table, direction. While routing relies on IP WWW.LINUX - MAGAZINE.COM ISSUE 56 JULY 2005 27 COVER STORY ARP Spoofing tations for SSL (Secure nection. HTTP, HTTPS, FTP, and Socket Layer), TLS email make it easy for an attacker to (Transport Layer Secu- smuggle malware onto the internal rity), SSH (Secure network. Admins would also need to Figure 3: The ARP table on a Linux system with one incomplete Shell), or PPTP (Point outlaw the use of removable media such entry, one static entry, and two dynamic entries (Flag C: com- to Point Tunneling Pro- as floppies or CDs, as well as mobile plete, M: static).

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us