Saturday, June 14, 2008

What is ARP Poisoning ? How to get rid from ARP poisoning ?


What is ARP Poisoning ?

In an Ethernet network computers communicate with each other via Ethernet (MAC (Media Access Control)) addresses. So, there is a mechanism needed for matching of IP addresses with the addresses in an ethernet network. The mechanism is called ARP (Address Resolution Protocol). What ARP does is exactly what most people do, when they have to find Mister X in a crowd of people - they shout loud enough, so that everyone can hear them and expect Mister X to answer, if he is there. When he answers, we will know who is he.
When ARP wants to know whats the Ethernet address matching a given IP address it uses an Ethernet technic, called BROADCASTING, with which the datagram is addressed to all the workstations in the network. The broadcast-datagram sent by ARP contains a request for the IP address. Every computer, received that request compares the requested address with its own IP address and if they match, it sends an ARP reply back to the asking computer. After rreceiving the reply, the asking computer can get the Ethernet address of the computer it is looking for, from his reply. After the computer finds an Ethernet address, he stores it in its ARP cache (ARP table), so he won't need to look for it the next time he wants to send a datagram to the same address. However, it is not good this information to be stored forever (the Ethernet adapter of the other host may be replaced for some reasonm and the entry for the computer's IP in the ARP cache will become invalid). So the entries in the ARP cache expire after a period of time.


What's the difference between switch and hub?

The switches (hubs) don't only provide more connect points to the network - they're also retransmitters of the signal. However, the hub just retransmits the data received from one port to all the other ports so no need to poison, as you get the datagram anyway. Normally, the network adapter compares the destination Ethernet address of the packets, and compares it with it's own Ethernet address. If they match - the data is accepted. If they don't - it just drops the packets. You can put your network adapter in promiscuous mode (which is exactly what Ettercap does) and get all the packets. The switch does the things in a more 'elegant' way. It has a simple CAM (Channel Access Method) table, which is a simple mapping of Ethernet addresses and ports. When a datagram comes through a port, the switch remembers the source Ethernet address of the datagram and stores it in the cam table for the given port, so when a datagram arrives for this computer, it doesn't retransmit it to all ports, but only to this one, which is bound to the Ethernet address of the receiver in the CAM table. If no Port Security, the CAM table is dynamically updated (e.g. if you want to connect to another port, if you change your network adapter etc.). Thus, we can change the CAM table and map another Ethernet address to our port. This technique is called Port Stealing and is discussed in another topic.

Now about the poisoning:

Most operating systems will replace an entry in their ARP cache even if they haven't sent and ARP request before. That allows a MITM (Man-In-The-Middle) attack to be performed. For example, lets say we have 2 computers, with Ethernet addresses AA:AA:AA:AA:AA:AA for computer A, and BB:BB:BB:BB:BB:BB for computer B and IP addresses 10.10.0.1 for computer A and 10.10.0.2 for computer B. Now we want to perform MITM attack. We are computer C with Ethernet address CC:CC:CC:CC:CC:CC and IP address 10.10.0.3. So we send and ARP reply to computer A, saying that we have IP address 10.10.0.2. Computer A updates its ARP cache and since we have an Ethernet address CC:CC:CC:CC:CC:CC, the entry in his ARP cache for 10.10.0.2 is bound to our Ethernet address. Now when computer A wants to send a datagram to computer B, it checks first the ARP cache, to see if computer B's Ethernet address is already there. Since th packet is for 10.10.0.2 (computer B's IP address), computer A founds that the Ethernet address for computer B is CC:CC:CC:CC:CC:CC (out Ethernet address) and sends the datagram to us. Computer A is poisoned. We do the same to computer B - it has an ARP entry for 10.10.0.1 (computer A's IP address) bound to CC:CC:CC:CC:CC:CC (our Ethernet address), so when it sends datagrams to computer A, these datagrams come to us. For the communication between computer A and computer B to continue uninterrupted, we need to forward the packets to their original destination. So when we receive a packet for a computer A - we forward it to computer A, when we receive a packet for computer B - we forward it to computer B. In Linux, for this to works, you can use the simple kernel forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward) or use a more complex one, that Ettercap and some other tools use, which even allows you to perform a MITM attack on a SSL connection.

Click here for more information about ARP

Counter measures for
ARP poisoning :

Some operating systems like Solaris do not accept ARP replies without first initiating an ARP request, so they are not vulnerable to this attack.
In this case, an ICMP spoofed packet (ping) is used. The goal is, to get a valid entry in victim's ARP cache, because when they receive an ARP reply from you they will first check their cache to see if you're already there and if you're not - they simply wont add you at all. So you send each victim a ping with source your own Ethernet address and the other victim's IP address. In the case mentioned above, you ping computer A with source IP address 10.10.0.2 and Ethernet address CC:CC:CC:C:CC:CC and computer B with source IP address 10.10.0.1 and Ethernet address CC:CC:CC:CC:CC:CC. Once you gor yourself in their ARP cache, you can poison normally.


No comments: