Jump to content
darkking

[EN] ARP tutorial

By darkking, in Tutoriale in engleza

Recommended Posts

darkking Newbie

darkking

Posted
Posted

Informations

1. What is ARP?

Address Resolution Protocol (ARP) is a network protocol, which maps a network layer protocol address to a data link layer hardware address. For example, ARP is used to resolve IP address to the corresponding Ethernet address.

2. To which OSI layer does ARP belong?

ARP belongs to the OSI data link layer (Layer 2). ARP protocol is implemented by the network protocol driver. ARP packets are encapsulated by Ethernet headers and transmitted.

3. What is the use of ARP?

A host in an Ethernet network can communicate with another host, only if it knows the Ethernet address (MAC address) of that host. The higher level protocols like IP use a different kind of addressing scheme (like IP address) from the lower level hardware addressing scheme like MAC address. ARP is used to get the Ethernet address of a host from its IP address. ARP is extensively used by all the hosts in an Ethernet network.

4. Why a IP address needs to be mapped to a MAC address, why can't the MAC address itself is represented using the IP address?

The length of a MAC address is 6 bytes and the length of an IP address is 4 bytes. Obviously, the MAC address cannot be represented using the IP address. So an IP address must be mapped to the corresponding MAC address.

4. How does ARP resolve an IP address to an Ethernet MAC address?

When ARP needs to resolve a given IP address to Ethernet address, it broadcasts an ARP request packet. The ARP request packet contains the source MAC address and the source IP address and the destination IP address. Each host in the local network receives this packet. The host with the specified destination IP address, sends an ARP reply packet to the originating host with its IP address.

5. What is the format of an ARP packet?

The various fields of a ARP request/reply packet and their length are shown below:

arp1cx8.th.jpgarp2yy7.th.jpg

ARP Spoofing

About MAC.

The data link later encodes and decodes transmitting packets on a network into bits. The second layer has all the protocol information that is included in the first layer. The data link layer has two sub layers, MAC (Media Access Control) and LLC (Logical Link Layer.) The MAC sublayer controls computer data transmission authentication, and the LLC sublayer controls error checking.

MAC addresses identify each computer (node) on a network. They differ from IP addresses because IP addresses can be user assigned and maintained, while MAC addresses cannot. MAC addresses are stored (actually burned) in network cards, this is why they are also referred to as a hardware address. You cannot change your MAC address, unless you exploit your card and solder on new data. MAC addresses are presented as 48 bit hex numbers, which are assigned by the manufacturer of the card. (Total 12 digits.) The first 6 digits represent the manufacturer ID, while the last 6 digits are a serial number assigned by the manufacturer.

Example:

MAC address - 0D602F3A07BC

First 6 digits - 0D602F (Manufacturer ID)

Last 6 digits - 3A07BC (Manufacturer Serial Number)

The Spoofing

While you cannot physically change your MAC address through your operating system, you can "spoof" the address. (Tricking the computer into sending/ storing a fake address.) There are free downloadable programs that do this for you, such as "MAC Makeup" (that come with cool features), however you can also do this through the Linux shell/ Windows registry.

To spoof your MAC address in Linux:

Access your shell and type:

"ifconfig eth0 down hw ether 00:00:00:00:00:00"

"ifconfig eth0 up"

(00:00:00:00:00:00" being your new MAC address)

To spoof your MAC address in Windows:

Method 1:

Some network cards have a "spoof MAC configuration" built in, if yours happens to have this, then use this method.

1. Go to the Control Panel and double click on Network and Dial-up Connections.

2. Right click on your card and click on "properties"

3. Click on the configure button under the general tab

4. Click on the "Advanced" tab

5. Under the Property section, click on "Network Address" (or "Locally

Administered Address")

6. Under "Value", (on the right side) type in the New MAC address you want to assign to your card.

7. Run an "ipconfig /all" or "net config rdr" to confirm the changes.

8. Reboot

Method 2:

Windows 2000/XP

1. Start the registry editor (Run - regedt32)

2. Go to " HKEY_LOCAL_MACHINESYSTEMCurrentControlSetContro

lClass{4D36E972-E325-11CE-BFC1

-08002BE10318}". Double click on it to expand the tree. The subkeys are 4-digit numbers,

which represent particular network adapters. You should see it starts with 0000, then 0001,

0002, 0003 and so on.

3. Find the interface you want by searching for the proper "DriverDesc" key.

4. Edit, or add, the string key "NetworkAddress" (has the data type "REG_SZ") to contain

the new MAC address.

5. Disable then re-enable the network interface that you changed (or reboot the system).

For WIN9x

Use the Windows 2000/XP method, except go to the registry key: " HKEY_LOCAL_MACHINESystemCurrentControlSetServic

esClassNet"

When done, you must restart.

About ARP

The network layer is in charge of IP addressing and routing. Tables are built to identify addresses on switches and computers for any network related devices.

The ARP matches and stores MAC and IP addresses for each node for Ethernet communication. When any packet is sent through a gateway, such as a router, the gateway uses ARP to identify the initial send node's MAC/ IP address and stores it in the packet header sending to the destination node. The IP/ MAC address matches for each node are stored (cached) in an ARP table. During MAC address packet transmission, the matches are stored in both client and host nodes.

Potentially, if a mischievous wardriver were to perform malicious actions on a network, their MAC address would be stored in the ARP table (because it stores in both client and host machines) and the network admin could find the manufacturer of the wireless card you used to hack their network. The manufacturer could then match their serial ID of the MAC address and match it to a company, and then customer, it was sold to. In other words you would get owned! (This is why it's best to buy a NIC off ebay and use that for hacking.)

If a hacker obtained control of an ARP table (physically or remotely), he could potentially change the IP to MAC address maps and use them to his advantage, such as rerouting network traffic to a computer of choice or taking down the entire network!

Note: Pinging a computer counts as sending/ receiving packets, thus updating the ARP table for the client/ host address.

Viewing BIAs in the ARP Table

Linux: type "arp" at the shell

Windows: type "arp -a" at the command prompt

Deleting ARP Table entries (Covering your tracks!)

Linux: type "arp -d <computer hostname>" at the shell

Windows: type "arp -d *" at the command prompt (removes all entries)

NOTE: Gateways also have the ability to store the MAC Address/ IP Address linkup. If you did not spoof your MAC Address, even if you clear the ARP table entries, there are still records of your MAC Address. Gateways, such as a switch, store these IP/ MAC linkups in what is called a CAM (Content Addressable Memory) table. These CAM tables look at each device that is connected to the switch. A switch is different than a hub because each port creates a collision domain, like it's own network. The same "learning process" makes CAM tables as ARP tables. Normally, whenever a computer is rebooted, it's ARP table is cleared. Whenever a switch is rebooted, it's CAM table is cleared.

Adding Static ARP entries

Linux: type "arp -s <IP> <MAC>" at the shell

Windows: type "arp -s <IP> <MAC>" at the command prompt

Example: "arp -s 192.168.1.100 00-00-00-00-00-00"

ARP Attacks using Linux

Download the program "arpspoof"

The goal of an ARP attack is to capture, monitor, and/or change data flow on a network.

To start off, you'll need two NICs in your machine. On one card you will connect to the target machine, and on the other card you will connect to the gateway. IP fowarding needs to be enabled on your computer so traffic flows through your computer. To do this, type the following into the Linux shell:

"echo 1 > /proc/sys/net/ipv4/ip_forward"

then type

"cat /proc/sys/net/ipv4/ip_forward"

You should get a reply of "1".

When you connect to the gateway on a network, for purposes such as connecting to the internet, your computer sends an ARP request to the target gateway requesting a MAC/ IP address pair up. The switch sees your request and broadcasts it to every single computer already on the network. The gateway receives your ARP request (from the switch) and replies with a MAC address. The gateway updates the MAC/ IP pair up within the ARP table for your computer within it's internal ARP table. The switch then receives the gateway's reply to your computer, and matches up your computer with a port number on the switch. Your computer receives the gateway's reply (containing the new ARP information) and updates its ARP table. Your computer can now send information to the gateway with its verified MAC address.

The first thing that needs to be understood is that ARP is NECESSARY for your network to work properly. In other words, if you or a hacker starts altering ARP tables incorrectly, the whole network could be taken offline. As we explain ARP hacking techniques, this message will be repeated several times. By the end of this article, you will understand why and how ARP works, and what damage it can do to a network.

ARP spoofing involves tricking the gateway and target computer on the network to reroute all data to your machine, this is done by running two sessions of "arpspoof" on your computer. With the first session you're going to trick the target computer into thinking that your computer has the MAC address of the gateway. With the second session you're going to trick the actual gateway into thinking that your computer is the target computer. This way, all data going in-between the gateway and target computer will be rerouted to pass through your machine.

By storing the MAC addresses in the ARP table, a potential weakness arises. What would happen if a remote hacker could control an ARP table of a computer? They could change MAC to IP address entries, which could cause traffic to be redirected from the correct target to a target of the hacker's choice.

Note: If you did not enable IP forwarding, the target computer will lose connectivity.

The arpspoof sessions might look something like this:

"arpspoof -t <victim gateway>" (Changes your MAC Address to match that of the gateway, thus updating the ARP table fooling the victim computer will think that you are the gateway.)

In another session (different NIC)

"arpspoof -t <gateway victim>" (Changes your MAC Address to match that of the victim computer, thus updating the ARP table fooling the gateway into thinking that you are the victim computer.)

Now you are able to see all the traffic going on between that computer and the gateway on the network. There are many ways to do this, (ex. Using 3rd party programs) but the simplest would be to do a tcpdump. Performing a tcpdump will pring out all currently passing data on your screen. There many different switches that can be used to define various parameters of the program. However a basic tcpdump session would look like this:

"tcpdump <victim computer>"

Preventing ARP Attacks

1. Download "arpwatch" (Monitors ARP/ IP address matching and lets you know when changes are made)

2. Encrypt all data transmission on your network. (Using methods such as WEP or WPA)

Notes:

It is possible to do this with only one NIC. The difficulty lies in sending the appropriate ARP replies to the appropriate hosts. A basic "change my mac address" will work only with two cards. The victim machines may still be responding to ARP requests, which presents other problems. If the victims react to unsolicited ARP replies, and theirs gets to the other victim last, you're out of luck. A more effective way is to simply send an unsolicited ARP reply to the victims. Most will simply update their tables. These packets can then be resent at regular intervals to prvent the table from defaulting back to its original state. Now if the victims do *not* respond to unsolicited ARP replies, the whole thing gets turned around. Now you've got to be the first one to send the reply to the victim, after waiting for a request. This can sometimes be tricky depending on network architecture and layout. Your attack may also be intermittent if the correct replies (i.e, not yours) get to the victims from time to time.

Also, tcpdump will by default only capture the first 96 bytes of packets it sees, which is enough for TCP header information. To tell tcpdump to capture the entire packets, specify the -S 0 option on the command line. This will set the snaplength (normaly the number of bytes per packet to capture) to 0, which tcpdump interprets as "capture the whole thing".

Surse: AntiOnline.com, governmentsecurity.org, "TCP/IP Protocol Suite" by Yegappan Lakshmanan.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...