Background:
ARP (Address Resolution Protocol) is a protocol mainly implemented by IPv4 networks (to be replaced in IPv6 by NDP). It is used to map IP addresses with MAC addresses, mainly in local area networking. I am going to demonstrate a common exploitation technique.
The ARP tables are updated on an interval, by sending out ARP Request packets. Also, ARP packets are sent when initiating a connection inside a LAN. The host A that wants to send some data to host B, broadcasts an ARP request in the network. Host B answers with it's MAC address (Level 2 of OSI) and A initiates the connection. Note that on a switched network A sends the MAC address of B to the switch, which is responsible for keeping a list of workstations and their MAC addresses.
So when the switch receives the packet destined for host B, it compares the MAC address and can now bridge the connection between them.
Now with the (very) basics said, lets see how we can exploit this protocol and use it to cause an attack on hosts A and B.
The Attack:
First things first: In order to initiate the attack we have to know the MAC address of the host we are trying to intercept the answers from. We send out an arp ping using the arping command:
root@FOX:/home/haris# arping -Iwlan1 192.168.0.5
We get a response from the device like this:
ARPING 192.168.0.5 from 192.168.0.2 wlan1
Unicast reply from 192.168.0.5 [XX:XX:XX:XX:XX:XX] 98.616ms
Unicast reply from 192.168.0.5 [XX:XX:XX:XX:XX:XX] 24.766ms
Unicast reply from 192.168.0.5 [XX:XX:XX:XX:XX:XX] 45.740ms
Where XX:XX:XX:XX:XX:XX is the address we are looking for.
Next thing is to craft a packet, that complies with the RFC of ARP (ARP reply). With this packet we will inform host A to alter its ARP tables, and change the value for host's B physical address.
This way when a connection is made, the information sent by A to B would be sent to some other host in the local network. I could alter the ARP tables in a way that outcoming traffic from host A to an IP address within the LAN, is routed to host C.
This technique is known as ARP Poisoning.
If I'm launching the attack from host C, I could act as a gateway and forward the packets to their correct destination... Or I could alter the packets, retrieve sensitive information and forward them. This attack is known as Man-In-The-Middle attack.
Disclaimer: This article is solely for educational purposes. You must use these techniques only under your own admistrated network and your workstations.
Enjoy :D
Thursday, December 3, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment