Documente Academic
Documente Profesional
Documente Cultură
Internetworking Seminar
ARP Spoofing
By
Vamshidhar Chillamcharla
Contents:
1. Introduction
2. ARP Working
5. Attacks
8. Practical Implementation
9. Reference
Epitome:
The idea behind this presentation is to discuss ARP spoofing, which is
concerned with internet and Ethernet protocols. Here I would discuss its network structure,
operating systems that are vulnerable to it, attacks that occur, detecting the attacks, ways
of avoiding the attacks and finally, a practical implementation of one of the attacks.
Introduction:
Basics of Networking:
ARP Spoofing is only applicable to Ethernet networks. Basically, a system
connected to IP or Ethernet LAN has two addresses. The first address is MAC, this
is hardwired into the specific network interface card (NIC) that a user has bought. MAC
addresses are (at least supposed to be) globally unique and with this address the Ethernet
protocol sends the data back and forth. Ethernet builds data frames which consist of 1500
byte blocks. An Ethernet frame consists of Ethernet header, containing the MAC address
of the source and destination computer.
As mentioned earlier an Ethernet frame is built from IP packet, but for the
construction of Ethernet frame the network needs the MAC address of the destination
computer. Here the Ethernet is just aware of the IP address of the destination machine.
Hence to find the MAC address of the destination computer from its IP address ARP
protocol is used.
Basics of ARP (Address Resolution Protocol):
This is the case when the receiving host is on the same network. If the
receiving host is on another network, the sending computer will go through its route table
and determine the correct router (A router should be between two or more networks) to
send to, and it will substitute the ethernet address of the router in the ethernet message.
The encased IP address will still have the intended IP address. When the router gets the
message, it looks at the IP data to tell where to send the data next. If the recipient is on a
network the router is connected to, it will do the ARP resolution either using its ARP buffer
cache or broadcasting.
When the ARP reply is sent, the recipient's ethernet address is left blank.
RARP:
Reverse address resolution protocol (RARP) is used for diskless computers to
determine their IP address using the network. The RARP message format is very similar to
the ARP format. When the booting computer sends the broadcast ARP request, it places
its own hardware address in both the sending and receiving fields in the encapsulated
ARP data packet. The RARP server will fill in the correct sending and receiving IP
addresses in its response to the message. This way the booting computer will know its IP
address when it gets the message from the RARP server.
Definition of ARP Spoofing:
ARP Spoofing is a kind of Spoofing in which a forged ARP reply is sent to the
original ARP request. By sending forged ARP replies, the router could be convinced to
send frames destined for a computer 1 to computer 2 and ultimately computer 2 redirects
the frames to computer 1.If the spoof is prompt the computer 1 will have no idea of this
redirection. The updation of target computer's (computer 1) cache with a forged entry is
called as Poisoning.
ARP Attacks:
Sniffing
Switches determine which frames go to which ports by comparing the
destination MAC on a frame against a table. This table consists of a list of ports and the
attached MAC address. The table is built when the switch is powered on, by examining the
source MAC from the first frame transmitted on each port.
Network cards can enter a state called Promiscuous mode where they are
allowed to examine frames that are destined for MAC addresses other than their own. On
switched network this is not a concern because the switch routes frames based on the
table describes above. This prevents sniffing of other people's frames. However using
ARP spoofing there are several ways that sniffing can be performed on a switched
network.
MAC Flooding:
This is another method of sniffing. This MAC Flooding is an ARP Cache
Poisoning technique aimed at network switches. When certain switches are overloaded
they often drop into a "hub" mode. In "hub" mode, the switch is too busy to enforce its port
security features and just broadcasts all network traffic to every computer in your network.
By flooding a switch's ARP table with a ton of spoofed ARP replies, a hacker can overload
many vendor's switches and then packet sniff the network while the switch is in "hub"
mode.
Denial of Service:
A hacker can easily associate an operationally significant IP address to a false
MAC address. For instance, a hacker can send an ARP reply associating the network
router's IP address with a MAC address that doesn't exist. Then the computers believe
they know where the default gateway is, but in reality they're sending any packet whose
destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move,
the hacker has cut off the network from the Internet.
Hijacking:
To hijack a network connection of our target machine we have to be able to
direct the flow of network traffic from the target machine to our machine. The rest is
accomplished by redirecting the packets in the kernel level. This transfer of control can
result in any type OS session being transferred. For instance an attacker could take a
control of a telnet session after a target machine has logged into a remote computer as an
administrator.
Cloning:
MAC addresses were intended to be a globally-unique identifier for each
network interface produced. We have a provision of changing the MAC address using the
software available and also using hardware, which is a bit tedious. Linux users can even
change their MAC without spoofing software, using a single parameter to ifconfig
command, the interface configuration program for the OS. An attacker could DoS as a
target computer, and then assigns them self the IP and MAC of the target computer,
receiving all frames intended for the target computer.
Dsniff:
Dsniff is a collection of UNIX-executable tools designed to perform network
auditing, as well as network penetration. It's been tested under OpenBSD and
Solaris. Each of the tools included in the dsniff distribution has some unique function
but falls into a functionality group. In general, the tools dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy are used to passively monitor a vulnerable shared network
(such as a LAN where the sniffer sits behind any exterior firewall), looking for content of
interest to the attacker.
ARPoison:
It is a command-line tool for UNIX which creates spoofed ARP replies. Users
can specify the source and destination IP/MAC addresses.
Ettercap:
Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
It supports active and passive dissection of many protocols (even ciphered ones) and
includes many features for network and host analysis.
It can automate following procedure:
1.Characters injection in an established connection
2.Password collector for TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL
3.Paket filtering/dropping
4.Connection killing
Parasite:
Parasite allows us to sniff on switched networks by performing ARP man-in-
the-middle spoofing. Selective targets, DOS and various other features are present.
Parasite does not do a proper clean up when stopped. This results in DoS of all poisoned
computers because their ARP caches are pointing to a MAC address that is no longer
forwarding their frames. Poisoned ARP entries must expire before normal operation can
resume.
• ARP Spoofing:
http://node99.org/projects/arpspoof/arpspoof.pdf
• Attacks:
http://www.cigitallabs.com/resources/papers/download/arppoison.pdf
http://www.hut.fi/~autikkan/kerberos/docs/phase1/pdf/LATEST_hijacking_attack.pdf
• Tools:
http://whatis.techtarget.com/definition/0,,sid9_gci213780,00.html
• ARP Basics:
http://ece.gmu.edu/~robohn/tcom509-l2-s03.pdf
http://www.comptechdoc.org/independent/networking/guide/netarp.html