Own your LAN with Arp Poison Routing



Similar documents
Cain & Abel v 2.5. Password Cracking Via ARP Cache Poisoning Attacks. v.1. Page 1 of 15

Wireless Security: Secure and Public Networks Kory Kirk

Modern snoop lab lite version

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

CTS2134 Introduction to Networking. Module Network Security

CMPT 471 Networking II

Packet Sniffing with Wireshark and Tcpdump

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Packet Sniffer Detection with AntiSniff

RDP Exploitation using Cain I will demonstrate how to ARP poison a connection between a Windows 7 and Windows 2008 R2 Server using Cain.

Threat Events: Software Attacks (cont.)

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

ARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table

BASIC ANALYSIS OF TCP/IP NETWORKS

Packet Sniffing on Layer 2 Switched Local Area Networks

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Introduction to Network Security Lab 1 - Wireshark

Firewalls, Tunnels, and Network Intrusion Detection

Lab VI Capturing and monitoring the network traffic

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

M2M Series Routers. Port Forwarding / DMZ Setup

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Chapter 8 Security Pt 2

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

The Trivial Cisco IP Phones Compromise

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Client Configuration Guide

TCP/IP Security Problems. History that still teaches

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Sniffing in a Switched Network

Attack Lab: Attacks on TCP/IP Protocols

Teldat Router. ARP Proxy

WhatsUpGold. v3.0. WhatsConnected User Guide

1. From a reverse shell, change into the c:\windows\ directory (only type what s in bold):

EKT 332/4 COMPUTER NETWORK

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

LogMeIn Network Console Version 8 Getting Started Guide

VPN Configuration Guide. Dell SonicWALL

WEB CONFIGURATION. Configuring and monitoring your VIP-101T from web browser. PLANET VIP-101T Web Configuration Guide

Detailed Description about course module wise:

Pre-lab and In-class Laboratory Exercise 10 (L10)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

1. LAB SNIFFING LAB ID: 10

Using a VPN with Niagara Systems. v0.3 6, July 2013

Lab Configuring Access Policies and DMZ Settings

Linux Network Security

6.0. Getting Started Guide

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

The current case DNSChanger what computer users can do now

Guideline for setting up a functional VPN

SSH Secure Client (Telnet & SFTP) Installing & Using SSH Secure Shell for Windows Operation Systems

Securing end devices

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Computer Networks I Laboratory Exercise 1

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

- Basic Router Security -

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Configuring PA Firewalls for a Layer 3 Deployment

Detecting rogue systems

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Hosting Users Guide 2011

VPN Overview. The path for wireless VPN users

Network Security Policy

A S B

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

How To Classify A Dnet Attack

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Lab Organizing CCENT Objectives by OSI Layer

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Using SSH Secure Shell Client for FTP

Directory and File Transfer Services. Chapter 7

Introduction. -- some basic concepts and terminology -- examples for attacks on protocols -- main network security services

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems

FortKnox Personal Firewall

AirStation VPN Setup Guide WZR-RS-G54

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

Building Secure Network Infrastructure For LANs

Innominate mguard Version 6

ΕΠΛ 674: Εργαστήριο 5 Firewalls

PREFACE iss.01 -

ShadowControl ShadowStream

Network Security. Vorlesung Kommunikation und Netze SS 10 E. Nett

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

1 You will need the following items to get started:

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

CNW Re-Tooling Exercises

1. Open the Account Settings window by clicking on Account Settings from the Entourage menu.

Cisco S380 and Cisco S680 Web Security Appliance

Transcription:

Own your LAN with Arp Poison Routing By: Rorik Koster April 17, 2006

Security is a popular buzzword heard every day throughout our American culture and possibly even more so in our global economy. From National Security to Homeland Security to Information Security, we are bombarded with threats everywhere we turn. The Internet reports on new vulnerabilities, carries new viruses and their corresponding definitions, and spreads spy-ware, mal-ware, and bogus e-mail phishing scams every day. There are other vulnerabilities besides viruses, worms, and scams that actually bend the rules of network communication to their benefit. They take advantage of the methods our networks use to transfer data, and these vulnerabilities will always be a threat to our information s security. Man in the Middle attacks come in many variations and can be carried out on a switched LAN easier than one might think by using tools freely available on the Internet. The following paper will explain how Man in the Middle attacks are possible, the potential threats from such an attack, and finally this paper will demonstrate the use of Cain & Abel to carry out a Man in the Middle attack. To understand how Man in the Middle attacks can take place we need to look at the way computers communicate. The following paragraph will briefly outline how hosts transfer data on a switched Ethernet LAN. In the most basic and most common network environment, 802.3 Ethernet, computers communicate at Layer 2 of the Open Systems Interconnection Model using Ethernet frames. Frames are sent to a destination Media Access Control (MAC) address that is unique to each Network Interface Card (NIC) on the network. If the destination MAC address is unknown then the transmitting computer will send an ARP Request (Address Resolution Protocol). An ARP Request is broadcast to every host on the

network. This request asks for the MAC address of a certain IP address that the computer wants to reach. There is a tendency for people to falsely state what ARP does (I have run into this time and again during my research) so I will clarify and state it explicitly here: ARP resolves a MAC address from an IP address (Plummer). Every host on the network receives the ARP Request because it is broadcast but only the host with the corresponding IP address will reply to the request. All of the other computers will process the request and then drop it. The host with the correct IP address uses an ARP Reply that contains its own MAC Address to answer the ARP Request (Sipes). At this point both machines will update their ARP cache that holds the IP address and MAC address mappings of the remote host for a period of time in the ARP cache table. Communication between the hosts can begin after the ARP cache table is created. This table will be used for future data transfer until this information ages out. An illustration of the process is shown in Figure 1 where Host A wants to communicate with Host B. Figure 1

As you can see this communication model relies heavily on trust and assumes that all ARP Reply traffic is legitimate and playing by the rules. This is the key to sniffing switched LAN s and is ultimately what allows Man in the Middle attacks to occur. ARP is a stateless protocol meaning that the computer does not keep track of whether it has sent an ARP Request out (Whalen). Stated another way, when a computer receives an ARP Reply it does not check to see if it has sent an ARP Request. ARP Request/Reply also does not require authentication between the hosts. These two factors allow a computer s ARP cache to be updated simply by sending an ARP Reply with the wrong MAC address information (Montoro). This vulnerability of spoofing ARP Replies and forcing a target machine to update its ARP cache with incorrect MAC Address information exists within the TCP/IP stack, which means that it is a multi-platform vulnerability. The process of forcing a target machine to update its ARP cache is known as ARP cache poisoning or ARP spoofing. It is important to note that computers create and update the ARP cache dynamically as needed and after a timeout period the contents of the ARP cache will be removed from the table. This is why the computer performing the ARP poisoning must routinely poison each host for the duration of the session (Montoro). An illustration of ARP poisoning is shown in Figure 2.

Figure 2 Now that we understand how computers communicate and how we can fool a device into sending data wherever we want to on the LAN we can start to think about what we can do with this knowledge. ARP poisoning can be used for legitimate purposes such as redirecting new hosts to a network registration page to gain full access to the network. ARP poisoning can also be used for more illicit activities that usually come in the form of Man in the Middle attacks. Man in the Middle attacks have the potential to eavesdrop on a switched LAN to sniff for clear-text data (McClure, Scambray). It can also be used for substitution attacks that can actively manipulate data. Replay attacks can also be used to resend a sniffed password hash to authenticate an unauthorized user. And

finally denial of service attacks can take place during and/or after the Man in the Middle attack is complete (Wagner). These kinds of attacks can compromise the confidentiality of data and also the integrity of the data as it passes through the local network. As you will see in the following paragraphs any data transmitted in clear-text such as FTP and telnet can easily be stripped out and viewed. Using Cain & Abel version 2.8.8 an individual can easily gather interesting data, mainly usernames and passwords. The first step is to download, install and run Cain & Abel. This program is provided for free and can be obtained at http://www.oxid.it/. While the program is running select Configure in the menu bar. This allows you to choose the Ethernet card that you will use to sniff traffic. Select the device and click OK. Cain s user interface has several tabs located at the top labeled Protected Storage, Network, Sniffer, LSA Secrets, Cracker, Traceroute, CCDU, and Wireless. These features are all interesting and powerful but the majority of them do not concern this particular paper. We are interested in the Sniffer tab of the application. This tab allows us to sniff traffic on the network and select hosts to initiate a Man in the Middle attack. When you select the Sniffer tab notice that new tabs appear at the bottom of the window that are labeled Hosts, APR, Routing, Passwords, and VoIP. The screen should default to Hosts, if it does not, select the Hosts tab. Next, activate the sniffer by clicking on the icon that looks like a NIC (see Figure 3).

Figure 3 Click on the blue plus sign or alternatively right click in the window and select Scan MAC Addresses to scan the network for hosts (see Figure 4). Figure 4

Select All hosts in my subnet and click OK, you also have the option to test broadcast and multicast ARP frames. Cain will display the IP Address, MAC Address, and the Organizationally Unique Identifier (OUI) in the window. With this information we can move on to the APR tab. APR is simply an abbreviation of ARP Poison Routing and as we learned earlier this is what allows Man in the Middle attacks to take place. You will notice two panes are displayed. In the pane on the left you see a browsing tree that can switch between APR-DNS, APR-SSH1, APR- HTTPS, and APR-RDP. The first item, APR-DNS, allows you to resolve DNS requests and redirect particular requests anywhere you choose (see Figure 5). Figure 5 (Google resolves to Yahoo!)

APR-SSH1 can capture and decrypt SSH version 1 sessions that are then saved to a text file. APR-HTTPS can intercept and forge digital certificates on the fly but because a trusted authority does not sign these certificates a warning message will be displayed to the end user. APR-RDP can capture and decrypt Microsoft s Remote Desktop Protocol as well. All of these are basically automated with the exception of APR-DNS where you have to specify which DNS request you would like to redirect. The most crucial item in that list is the radioactive hazard icon labeled APR. It is in this window that we select our victim(s). Click on APR in the left window pane, then click in the right window pane. Click on the blue plus sign to select the hosts that you would like to put your computer between (see Figure 6). Figure 6

When you select the first host on the left side, the remaining hosts will appear on the right side. You will need to select a host on the right side to continue. If the host you have chosen is a router that has an external link to the Internet, then you will capture all traffic between the host on the internal LAN and the Internet (this tends to be where some very interesting information is exchanged). After you have selected both hosts Cain will display the target host s IP address and the destination host s IP address and what state the connection is in, Idle or Poisoning (see Figure 7). Figure 7 To begin ARP Poisoning, the Man in the Middle attack, simply click on the radioactive hazard symbol next to the NIC Sniffer icon at the top left corner of the window. You are now successfully launching a Man in the Middle attack. To verify that the ARP cache has been poisoned simply log into the remote host and check the ARP cache table by opening the command prompt and then type arp a in the command line interface and you will see the ARP cache table entries (see Figure 8).

Figure 8 By opening and establishing a telnet session or ftp session to a server on the remote machine you can easily see the danger of clear-text protocols by clicking on the Passwords tab on the bottom of the window (see Figure 9).

Figure 9 While the Man in the Middle attack is running it might be interesting to see all of the traffic that Cain is processing, for this you can use Ethereal or any other packet capture utility. Ethereal is another free program that is available from http://www.ethereal.com/. Now that you are able to launch successful Man in the Middle attacks and sniff traffic on your switched LAN it is important to remember to use your power only for good and only on networks that you have permission to do so on. If you do not heed this warning you may put yourself in a position that you don t want to be in, both ethically and legally. Every person that deals with technology, from a Technical Analyst to a Chief Information Security Officer, should know what he or she is facing, and ARP cache poisoning is only one of many threats to be concerned with. It is our responsibility to secure our networks and enforce policies and procedures that serve the greater good.

References McClure, S., Scambray, J. (May 2000) Switched networks lose their security due to packet-capturing tool. Retrieved April 13, 2006, from http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.html Montoro, Massimiliano. (June 2001). Introduction to Arp Poison Routing. Retrieved April 6, 2006, from http://www.oxid.it/downloads/apr-intro.swf Plummer, David C. (November 1982). An Ethernet Address Resolution Protocol. Retrieved April 11, 2006, from http://www.ietf.org/rfc/rfc826.txt *Sipes, Stephen. (September 2000). Why your switched network isn t secure. Retrieved April 13, 2006, from http://www.sans.org/resources/idfaq/switched_network.php *Wagner, Robert. (August 2001). Address Resolution Protocol Spoofing and Man-in-the- Middle Attacks. Retrieved April 11, 2006, from http://www.sans.org/rr/whitepapers/threats/474.php Whalen, Sean. (April 2001). An Introduction to Arp Spoofing. Retrieved April 14, 2006, from http://packetstormsecurity.org/papers/protocols/intro_to_arp_spoofing.pdf

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information