Albert-Ludwigs-University of Freiburg. Department of Communication Systems. Internetworking Seminar. ARP Spoofing. Vamshidhar Chillamcharla

Transcription

1 Albert-Ludwigs-University of Freiburg Department of Communication Systems Internetworking Seminar ARP Spoofing By Vamshidhar Chillamcharla

2 Contents: 1. Introduction 2. ARP Working 3. Definition of ARP Spoofing 4. Operating Systems Vulnerable to ARP Spoofing 5. Attacks 6. Tools and Utilities 7. ARP Spoofing Defenses and Detection. 8. Practical Implementation 9. Reference

3 Epitome: The idea behind this presentation is to discuss ARP spoofing, which is concerned with internet and Ethernet protocols. Here I would discuss its network structure, operating systems that are vulnerable to it, attacks that occur, detecting the attacks, ways of avoiding the attacks and finally, a practical implementation of one of the attacks. Introduction: Basics of Networking: ARP Spoofing is only applicable to Ethernet networks. Basically, a system connected to IP or Ethernet LAN has two addresses. The first address is MAC, this is hardwired into the specific network interface card (NIC) that a user has bought. MAC addresses are (at least supposed to be) globally unique and with this address the Ethernet protocol sends the data back and forth. Ethernet builds data frames which consist of 1500 byte blocks. An Ethernet frame consists of Ethernet header, containing the MAC address of the source and destination computer. The Second address is the IP address. IP is a protocol used by applications, independent of whatever technology operates with it. Every computer on a network must have unique IP address for communication. The IP addresses are virtual and are assigned by the software. IP and Ethernet must work together. IP communicates by constructing packets which are different from frame structure. Now these packets are delivered by the network layer (Ethernet), which splits the packets into frames, adds an Ethernet header and sends them to a network component. This then decides the port to which the frame should be sent by comparing the destination address of the frame to an internal table which maps port number to the MAC addresses. As mentioned earlier an Ethernet frame is built from IP packet, but for the construction of Ethernet frame the network needs the MAC address of the destination computer. Here the Ethernet is just aware of the IP address of the destination machine. Hence to find the MAC address of the destination computer from its IP address ARP protocol is used.

4 Basics of ARP (Address Resolution Protocol): Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address (MAC) that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.).in order to increase the efficiency of the network and not tie up bandwidth doing ARP broadcasting, each computer keeps a table of IP addresses and matching Ethernet addresses in memory. This is called ARP cache. Before sending a broadcast, the sending computer will check to see if the information is in its ARP cache. If it is then it will complete the Ethernet data packet without an ARP broadcast. Each entry usually lasts 20 minutes (but depends on OS). RFC 1122 specifies that it should be possible to configure the ARP cache timeout value on the host. To examine the cache on a Windows, UNIX, or Linux computer type "arp -a". ARP provides the protocol rules for making this correlation and providing address conversion in both directions. How ARP Works: When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. Here is an example of a simple ARP Communication. Jessica, the receptionist, tells Word to print the latest company contact list. This is her first print job today. Her computer (IP address ) wants to send the print job to the office's HP LaserJet printer (IP address ). So Jessica's computer broadcasts an ARP Request to the entire local network asking, "Who has the IP address, ?" as seen in Figure 1.

5 All the devices on the network ignore this ARP Request, except for the HP LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply: Hey, my IP address is Here is my MAC address: 00:90:7F:12:DE:7F as in Diagram1.Now Jessica's computer knows the printer's MAC address. It sends the print job to the correct device, and it also associates the printer's MAC address of 00:90:7F:12:DE:7F with the printer's IP address of in its ARP table. Figure 1. ARP Functionality

6 Figure 2. ARP functionality This is the case when the receiving host is on the same network. If the receiving host is on another network, the sending computer will go through its route table and determine the correct router (A router should be between two or more networks) to send to, and it will substitute the ethernet address of the router in the ethernet message. The encased IP address will still have the intended IP address. When the router gets the message, it looks at the IP data to tell where to send the data next. If the recipient is on a network the router is connected to, it will do the ARP resolution either using its ARP buffer cache or broadcasting. ARP Frame Format: The ARP message consists of an ethernet header and ARP packet The ethernet header contains: A 6 byte ethernet destination address. A 6 byte ethernet source address. A 2 byte frame type. The frame type is 0806 hexadecimal for ARP and 8035 for RARP

7 The encapsulated ARP data packet contains the following: Type of the hardware address (2 bytes). 1=ethernet. Type of protocol address being mapped (2 bytes). 0800H (hexadecimal) = IP address. Byte size of the hardware addresses (1 byte). 6 Byte size of the protocol address (1 byte). 4 Type of operation. 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP reply. The sender's ethernet address (6 bytes) The sender's IP address (4 bytes) The recipient's ethernet address (6 bytes) The recipient's IP address (4 bytes) When the ARP reply is sent, the recipient's ethernet address is left blank. RARP: Reverse address resolution protocol (RARP) is used for diskless computers to determine their IP address using the network. The RARP message format is very similar to the ARP format. When the booting computer sends the broadcast ARP request, it places its own hardware address in both the sending and receiving fields in the encapsulated ARP data packet. The RARP server will fill in the correct sending and receiving IP addresses in its response to the message. This way the booting computer will know its IP address when it gets the message from the RARP server.

8 Definition of ARP Spoofing: ARP Spoofing is a kind of Spoofing in which a forged ARP reply is sent to the original ARP request. By sending forged ARP replies, the router could be convinced to send frames destined for a computer 1 to computer 2 and ultimately computer 2 redirects the frames to computer 1.If the spoof is prompt the computer 1 will have no idea of this redirection. The updation of target computer's (computer 1) cache with a forged entry is called as Poisoning. Operating Systems Vulnerable to ARP Spoofing: An Operating system is said to be vulnerable to ARP Spoofing when the system with the corresponding operating system gets spoofed by other system that is the system which got spoofed would overwrite the existing entry or add the entry if one does not exist with the forged reply. This is nothing but ARP Poisoning. OS Vulnerable to ARP spoofing: 1. Windows NT 2. Windows XP 3. Windows 95/98/ Linux 5. Netgear 6. AIX 4.3 OS not Vulnerable to ARP Spoofing: Sun Solaris Systems ARP Attacks: Sniffing Switches determine which frames go to which ports by comparing the destination MAC on a frame against a table. This table consists of a list of ports and the attached MAC address. The table is built when the switch is powered on, by examining the source MAC from the first frame transmitted on each port. Network cards can enter a state called Promiscuous mode where they are allowed to examine frames that are destined for MAC addresses other than their own. On switched network this is not a concern because the switch routes frames based on the table describes above. This prevents sniffing of other people's frames. However using ARP spoofing there are several ways that sniffing can be performed on a switched

9 network. Man in the Middle (MIM): This attack is one of the methods of sniffing. This attack is one of the attacks in which a third person involves between the communication path of the two computers. There will not be any interruption between the traffic of both the computers because the third person redirects the packets to the destined computer. Consider an example. In the figure below the attacker, host C, sends an ARP reply to B stating that A s IP maps to C s MAC address, and another ARP reply to A stating that B s IP maps to C s MAC address (see Figure 3). Since ARP is a stateless protocol, hosts A and B assume they sent an ARP request at some point in the past and update their ARP caches with this new information. Now, when A tries to send a packet to B it will go to C instead. Host C can use this unique position to forward the packets on to the correct host and monitor or modify them as they pass through C (Figure 4). MIM can also be performed between a computer and the LAN's router by poisoning the router. Figure 3. Setting up a man in the middle attack

10 Figure 4. Setting up a man in the middle attack MAC Flooding: This is another method of sniffing. This MAC Flooding is an ARP Cache Poisoning technique aimed at network switches. When certain switches are overloaded they often drop into a "hub" mode. In "hub" mode, the switch is too busy to enforce its port security features and just broadcasts all network traffic to every computer in your network. By flooding a switch's ARP table with a ton of spoofed ARP replies, a hacker can overload many vendor's switches and then packet sniff the network while the switch is in "hub" mode. Denial of Service: A hacker can easily associate an operationally significant IP address to a false MAC address. For instance, a hacker can send an ARP reply associating the network router's IP address with a MAC address that doesn't exist. Then the computers believe they know where the default gateway is, but in reality they're sending any packet whose destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move, the hacker has cut off the network from the Internet. Hijacking: To hijack a network connection of our target machine we have to be able to direct the flow of network traffic from the target machine to our machine. The rest is accomplished by redirecting the packets in the kernel level. This transfer of control can

11 result in any type OS session being transferred. For instance an attacker could take a control of a telnet session after a target machine has logged into a remote computer as an administrator. Cloning: MAC addresses were intended to be a globally-unique identifier for each network interface produced. We have a provision of changing the MAC address using the software available and also using hardware, which is a bit tedious. Linux users can even change their MAC without spoofing software, using a single parameter to ifconfig command, the interface configuration program for the OS. An attacker could DoS as a target computer, and then assigns them self the IP and MAC of the target computer, receiving all frames intended for the target computer. ARP Tools and Utilities: Following are the several tools to perform ARP spoofing which are available in the internet. Dsniff: Dsniff is a collection of UNIX-executable tools designed to perform network auditing, as well as network penetration. It's been tested under OpenBSD and Solaris. Each of the tools included in the dsniff distribution has some unique function but falls into a functionality group. In general, the tools dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy are used to passively monitor a vulnerable shared network (such as a LAN where the sniffer sits behind any exterior firewall), looking for content of interest to the attacker. ARPoison: It is a command-line tool for UNIX which creates spoofed ARP replies. Users can specify the source and destination IP/MAC addresses. Ettercap: Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis.

12 It can automate following procedure: 1.Characters injection in an established connection 2.Password collector for TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL 3.Paket filtering/dropping 4.Connection killing Parasite: Parasite allows us to sniff on switched networks by performing ARP man-inthe-middle spoofing. Selective targets, DOS and various other features are present. Parasite does not do a proper clean up when stopped. This results in DoS of all poisoned computers because their ARP caches are pointing to a MAC address that is no longer forwarding their frames. Poisoned ARP entries must expire before normal operation can resume. ARP Spoofing Defenses and Detection: The best defense against ARP spoofing is to enable MAC binding on the switch. This is a feature usually found on high quality switches which does not allow the MAC address associated with a port to change once it is set. Legitimate MAC changes could be performed by the network admin on a per-case basis. Another defense is the use of static routes. ARP caches can have static (nonchanging) entries, so spoofed ARP replies would be ignored. This approach is not practical on anything but small home LANs, consequently where ARP spoofing is not a large concern. Also of note is the behavior of static routes under Windows. Tests found that Windows would still accept spoofed ARP replies and use dynamic routes instead of static routes, nullifying any effect of using static routes under Windows. Apart from these two methods, the only other defense available is Detection.. Arpwatch is one of the ways of detection. Arpwatch is a tool to detect ARP attacks.this tool monitors ethernet activity and keeps a database of Ethernet/IP address pairings. It also reports certain changes via . Arpwatch uses libpcap, a system-independent interface for user-level packet captures a method of detecting ARP attacks. The 'arpwatch' keeps informed when a new machine gets an address from the network. It s the IP address that it is currently leasing, as well as the MAC address. It will also inform if the MAC address for an IP changes. It would also inform if someone is messing with the network setting, and changing their IP address to one of a gateway, or server.

13 MAC cloning can be detected by using RARP (Reverse ARP). RARP requests the IP address of a known MAC address. Sending a RARP request for all MAC addresses on a network could determine if any computer is performing cloning, if multiple replies are received for a single MAC address. Many methods exist for detecting machines in promiscuous mode. It is important to remember that Operating systems have their own TCP/IP stacks, and Ethernet cards have their own drivers, each with their own quirks. Even different versions of the same operating system have variations in behavior. Solaris is unique in its treatment of ARP packets. Solaris only accepts ARP updates after a timeout period. To poison the cache of a Solaris box, an attacker would have to DoS the second target machine in order to avoid a race condition after the timeout period. This DoS may be detected if the network has an Intrusion Detection System in place.the network can also be protected from spoofing and sniffing by setting firewalls and by encrypting the data over the network, but these two methods are not employed.

14 References: ARP Spoofing: Attacks: Tools: ARP Basics: Computer Networking by, James F. Kurose and Keith W. Ross