Você está na página 1de 18

Albert-Ludwigs- University of Freiburg

Department of Computer Science

Internetworking

Seminar on ARP Spoofing

Presented by:
Mahesh Visvanathan
Ramya Ramakrishnan

1
Contents:

1. Introduction to ARP Spoofing… … … … … … … … … … … … … … … 3

2. ARP Operations… … … … … … … … … … … … … … … … … … … … ..5

3. ARP Network Structure… … … … … … … … … … … … … … … … … ..6

4. Vulnerabilities… … … … … … … … … … … … … … … … … … … … … .7

5. ARP Attacks… … … … … … … … … … … … … … … … … … … … … … 7
5.1 Man in the Middle Attacks… … … … … … … … … … … … … … ..8
5.2 Denial of Service… … … … … … … … … … … … … … … … … … ...9
5.3 Hijacking… … … … … … … … … … … … … … … … … … … … … .. 10

6. Detection… … … … … … … … … … … … … … … … … … … … … … … .11

7. Tools and Utilities… … … … … … … … … … … … … … … … … … … ..12


7.1 Dsniff… … … … … … … … … … … … … … … … … … … … … … … ..12
7.2 Hunt… … … … … … … … … … … … … … … … … … … … … … … … 12

8. Countermeasures… … … … … … … … … … … … … … … … … … … … 13

9. Experiments… … … … … … … … … … … … … … … … … … … … … … 14

10. Reference… … … … … … … … … … … … … … … … … … … … … … … 18

2
Abstract: The purpose of this paper is to deal with the ARP spoofing and the methods
of exploiting the interaction of IP and Ethernet. In this paper we would be also focusing
on different aspects related to ARP spoofing which would include its network structure,
and discuss about the kind of operating systems that are affected by ARP Spoofing and
what kind of attack that would be occurring and how to provide countermeasures to
protect from attacks and different aspects related to it by realizing a practical setup.

Introduction:

Consider a computer is connected to an IP/Ethernet LAN and it has two


addresses. One is the address of the network card called MAC addresses. The MAC is a
globally unique and unchangeable address which is stored on the network card itself. We
need this address so that the Ethernet protocol can send data back and forth irrespective
of what ever application that would run on the top.
Ethernet builds “frames” of data, consisiting of 1500 byte blocks. Each frame would
have an Ethernet header, containing the MAC address of the source and the destination
computer.
The second address is the IP address. IP is a protocol used by applications,
independent of whatever network technology operates underneath it. Each computer on a
network must have a unique IP address to communicate. IP addresses are virtual and are
assigned via software.
IP and Ethernet must work together. IP communicates by constructing “packets”
which are similar to frames, but have a different structure. The packets are delivered by
Ethernet which splits the packets into frames, Ethernet header for delivery, and sends
them down the cable to the switch. The switch then decides which port to send the frame
to, by comparing the destination address of the frame to an internal table which maps the
MAC address.

Message Format

3
ARP Data Unit

Hence when an Ethernet frame is constructed, it must be built from an IP packet.


How ever at the time of construction, Ethernet has no idea what MAC address of the
destination machine is, which it needs to create an Ethernet header. The only information
that is available is the destination machine’s IP address from the packet header, with
which it needs to create an Ethernet header. There must be a way for the Ethernet
protocol to find the MAC address of the destination machine, given a destination IP.
This is where ARP protocol gets introduced.

ARP is a helper protocol that assists in making networking a little bit easier, more
efficient and more reliable. Both IP addresses and MAC address provide an important
part to networking. Not only does the use of IP addresses provide a method for keeping
internal networks separate from external networks, but IP addresses can also help to
logically segment one network from another.

ARP operations:

ARP operates by sending out “ARP request” for packets. The ARP request is
broadcasted over the network with a question,” Is your IP address is x.x.x.x.?????”, if so

4
send your MAC address back to me. Then the packets are broadcasted to all computers
on the LAN network, (on a switched network). Then each computer examines the ARP
request, checks if it is currently assigned the specified IP, and if so, sends an ARP reply
containing its MAC address.
Too minimize the number of ARP packets being broadcasted, operating systems
keep a cache of ARP replies. When a computer receives an ARP reply. It will update its
ARP cache with the new IP/MAC association. As ARP is a stateless protocol, most
operating systems will update their cache if a reply is received, regardless of whether
they have sent out an actual request.

ARP Request (broadcast)


Source Destination

S_IP: 132.230.4.47
S_MAC:00:10:DC:6B:D6:AA S_IP: 132.230.4.49
D_IP:132.230.4.49 S_MAC: 00:02:B3:87:53:43
D_MAC: ???

ARP Request Message

ARP Request (broadcast)


Source Destination

ARP Reply (unicast)

S IP: 132.230.4.47 S IP: 132.230.4.49


S MAC: 00:10: DC:6B:D6:AA S MAC: 00:02:B3:87:53:43
D IP: 132.230.4.49 D IP: 132.230.4.47
D MAC: 00:02:B3:87:53:43 D MAC:00:10:DC:6B:D6:AA

ARP Message Request / ARP Message Reply

5
What does ARP Spoofing exactly mean?
ARP spoofing involves constructing forged ARP request and reply packets. By
sending forged ARP replies, a target computer could be convinced to send frames
destined for a computer A to go instead to B. When done properly, computer A will have
no idea that this redirection took place. The process of updating a target computer’s ARP
cache with forged entry is referred to as “ARP poisoning”.

To illustrate the power of arpspoofing, let us place ourselves in a hacker’s shoes. The
following is an illustration of a sample network that a hacker has just gained access to. In
this case, they have plugged their computer in to two ports off a switch and will be
attempting to sniff the data traveling between one computer to another through a
gateway. The hacker has the IP address of both computers A and B. Also we consider
that routers have previously communicated, which means the gateway, switch, target
computer will all have ARP entries.

Network Structure used in ARP Spoofing

Hence, as the first step a hacker must do, is to determine what method they will take to
gain access to the destination. While ARP spoofing would most likely work, flooding
the switch with bogus MAC address would be formed.
If we want to monitor the flow of data in a switched type of network it would be
based on the following form based on the given diagram

6
Data flow using ARP spoofing

ARP Vulnerabilities

Vulnerabilities are said to exist in ARP, when any system can spoof a reply to an
ARP request and the system that will cache the reply would overwrite the existing
entry and add the entry if one does not exist.

The OS that are vulnerable to ARP Spoofing are as follows


? Windows 95/98/2000
? Windows NT / XP
? AIX 4.3
? Linux
? Netgear
? Cisco IOS 11.1

The OS to protect against ARP spoofing is:


? Sun Solaris systems

This appears to restrict cache poisoning; hence it makes the vulnerability of the OS to be
much restricted.

7
ARP Attacks:

The attacks are classified in to different types and they are:


1. Man in the Middle (MIM)
2. Denial of Service (DoS)
3. Hijacking
4. Cloning
5. Sniffing

Man in the Middle: A “man in the middle” attack is one of the type of attacks which is
said to be performed when a malicious user inserts his computer between the
communication path of two target computers. The malicious computer will
forward frames between the two computers; so communications are not
interrupted. The attack is performed as follows (where X is the attacking
computer, and T1 and T2 are targets)

- Joker poisons ARP cache of Batman and Robin.


- Batman associates Robin’s IP with Joker’s MAC.
- Robin associates Batman’s IP with Joker’s MAC.
- All of Batman and Robin’s IP traffic will then go to Joker first, instead of
- Directly to each other.

8
2) ARP attack
Batman 132.230.4.49

Robin Batman Traffic


Batman Cave GW
132.230.4.254

1) ARP attack

3) Routing
Robin (132.230.4.44) Joker (132.230.4.46)

MiM Attack

This is extremely potent when we consider that not only can computer be poisoned, but
routers/gateways as well. All Internet traffic for a host could be intercepted with this
method by performing a MiM on a target computer and the LAN’s router.

Denial of services: Updating ARP cache with non-existent MAC addresses will cause
frames to be dropped i.e. because of limited size of ARP cache. These could be sent out
in a sweeping fashion to all clients on the network in order to cause a denial of service
attack. This is also side effect of Post MiM attack, since targeted computers will continue
to send frames to the attacker’s MAC address even after the attacker had removed
themselves from the communication path. To perform a clean MiM attack, the target
computers would have to have the original ARP entries restored by the attacking
computer.

9
Batman 132.230.4.49
2) ARP attack

Batman cave GW
132.230.4.254
3) ARP Attack

Dropped

Robin 132.230.4.44
Joker (132.230.4.46)
1) ARP attack

Dos Attack

Hijacking: Connection hijacking allows an attacker to take control of a connection


between two computers using methods similar to the MiM attack. This transfer of control
can result in any type of session being transferred. For example an attacker could take
control of a telnet session after a target computer has logged in to a remote computer as
an administrator.

Cloning: MAC addresses were intended to be a globally-unique identifier for each


network interface produced. They were to be burned into the ROM of each interface and
not to be changed but we are able to change the MAC address through software programs
available, if we are changing it through means of hardware resources then it takes a lot
more of time and work load. Linux users can even change their MAC without spoofing
software, using a single parameter to “ifconfig”, the interface configuration program for
the OS.
An attacker could DoS as a target computer, and then assigns them self the IP and MAC
of the target computer, receiving all frames intended for the target computer.

10
Sniffing: Switches determine which frames go to which ports by comparing the
destination MAC on the frame against a table. This table contains a list of ports and the
attached MAC address. The table is built when the switch is powered on, by examining
the source MAC from the first frame transmitted on each port.
Network cards can enter state called “promiscuous mode” where they are allowed to
examine frames that are destined for MAC address other than their own.

ARP Spoofing Detection:

While stopping ARP attacks is impossible due to the inherent part it plays in data
transfer, spoofed ARP requests are very easy to detect. Although there are many tools and
programs available that attempt to warn administrators of ARP attacks, they all basically
work the same way.

One program that does this is arpwatch. This program basically monitors all ARP/IP
address pairing and alerts its user when changes occur. It does this by listening on the
network, much like a sniffer, and comparing all captured replies against a database. Other
programs take a snapshot of all related IP/MAC addresses, and periodically request
updates from networked computers. However, these methods often result in numerous
false alarms due to DCHP networks, which dynamically assign IP addresses.

The only real solution for minimizing ARP attacks is to encrypt all data passing over the
network. Although this is a possibility, it is not commonly employed due to the
processing overhead and complexity of setup as there is no change to ARP but the traffic
is readable.

ARP Tools and Utilities:

There seems to be different types of tools that are said to be available in Internet that can
be used for performing ARP Spoofing.

11
They are as follows:

Dsniff: dsniff is a collection of tools for network auditing and penetration testing. Dsniff,
filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for
interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate
the interception of network traffic normally unavailable to an attacker (e.g., due to layer-2
switching). sshmitm and webmitm implement active monkey-in-the-middle attacks
against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Hunt is a program for intruding into a connection, watching it and resetting it. It was
inspired by products like Juggernaut or T-sight but has several features which can not be
found in these products.
Note that hunt is operating on Ethernet and is best used for connections which can be
watched through it. However, it is possible to do something even for hosts on another
segment. The hunt doesn't distinguish between local network connections and
connections going to/from Internet. It can handle all connections it sees.
Connection hijacking is aimed primarily at the telnet traffic but it can be used for another
traffic too. The reset, watching arp... features are common to all connections.

ARPoison is a command-line tool for UNIX which creates spoofed ARP replies. Users
can specify the source and destination IP/MAC addresses.

Ettercap is a powerful UNIX program employing a text-mode GUI, easy enough to be


used by “script kiddies”. All operations are automated, and the target computers are
chosen from a scrollable list of hosts detected on the LAN. Ettercap can perform four
methods of sniffing: IP, MAC, ARP, and Public ARP. It also automates the
following procedures:
- Injecting characters into connections
- Sniffing encrypted SSH sessions
- Password collection
- OS fingerprinting
- Connection killing

12
Parasite is a daemon which watches a LAN for ARP requests, and automatically sends
spoofed ARP replies. This places the attacking computer as the MiM for any computer
that broadcasts an ARP request. Eventually, this result in a LAN-wide MiM attack and all
data on the switch can be sniffed. Parasite does not do a proper clean up when stopped.
This results in DoS of all poisoned computers because their ARP caches are pointing to a
MAC address that is no longer forwarding their frames. Poisoned ARP
entries must expire before normal operation can resume

Counter Measures:

There is no universal defense against ARP spoofing. In fact, the possible defense
is the use of static (non-changing) ARP entries. Since static entries cannot be updated,
spoofed ARP replies are ignored. To prevent spoofing, the ARP tables would have to
have a static entry for each machine on the network. The overhead in deploying these
tables, as well as keeping them up to date is not practical for most LANs. Also of note is
the behavior of static routes under Windows. Tests found that Windows still accepts
spoofed ARP replies and use dynamic routes instead of static routes, nullifying any effect
of using static routes under Windows (9X, NT, 2000 except XP).
MAC cloning can be prevented by a feature found on high-end switches called
Port Security (also known as Port Binding or MAC Binding). Port Security prevents
changes to the MAC tables of a switch, unless manually performed by a network admin.
It is not suitable for large networks, or networks using DHCP. Port Security does not
prevent ARP spoofing.
Aside from these two methods, the only remaining defense is detection. Arpwatch
is a free UNIX program which listens for ARP replies on a network. It will build a table
of IP/MAC associations and store them in a file. When the MAC address associated with
an IP changes (referred to as a flip-flop), an email is sent to an administrator. Tests
showed that running Parasite on a network caused a flood of flip-flops, leaving the MAC
of the attacker present in Arpwatch’s emails. Ettercap caused several flip flops, but would

13
be difficult to detect on a DHCP-enabled network where flip flops occur at regular
intervals.
MAC cloning can be detected by using RARP (Reverse ARP). RARP requests the
IP address of a known MAC address. Sending a RARP request for all MAC addresses on
a network could determine if any computer is performing cloning, if multiple replies are
received for a single MAC address. If a MAC flood is performed and the switch reverts
to broadcast mode, a computer will have to enter promiscuous mode to examine the
broadcast frames. Many methods exist for detecting machines in promiscuous mode.
These can be found in the Sniffing FAQ, at http://www.robertgraham.com/pubs/sniffing-
faq.html.
Note that you can perform ARP spoofing without being in promiscuous mode
since redirected frames will be routed to your MAC. It is important to remember that OS
have their own TCP/IP stacks, and Ethernet cards have their own drivers, each with their
own quirks. Even different versions of the same operating system have variations in
behavior. Solaris is unique in its treatment of ARP replies. Solaris only accepts ARP
updates after a timeout period. To poison the cache of a Solaris box, an attacker would
have to DoS the second target machine in order to avoid a race condition after the timeout
period. These DoS may be detected if the network has an Intrusion Detection System in
place.

Also we can protect the network from Spoofing and Sniffing attacks with
Firewalls. But most personal firewalls are not capable of defending against or correctly
identifying attacks below IP level. In UNIX environment, ipfw and ipf (IP Filter) and in
Windows, Network Ice/ Black Ice provide sufficient protection against these spoofing
attacks.
Also another form of defense is Encryption. Encryption is an effective way to
defend against dsniff and other sniffers. Encryption scrambles the network traffic, and
gives obvious benefits in defending against sniffers. If communication between hosts
systems is encrypted at the network layer there is little chance for programs such as
Dsniff to gather useful information from the network since the attacker will not know

14
what packets contains authentication information and which do not. The security of the
network from sniffer attacks is proportional to the strength of encryption used.
There are several other tools which are able to detect systems which are in
promiscuous mode. They are
- Anti-sniff
- snifftest
- Promisc

Experiment:

A simple ARP table:

15
Man in the middle Attack:

Target: 132.230.4.49
Attacker: 132.230.4.46
Gateway: 132.230.4.254

ARP spoofing using arpspoof command available from dsniff package

16
Ethereal capture of packets of the attacker machine

Ethereal Capture of packets in the target machine

17
Reference:

? Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/dsniff

? Sean Whalen, “An Introduction to ARP Spoofing” April 2001.

? The Ingredients to ARP Poison, http://www.informit.com

? ARP Attacks arp-sk in action by Frederic Raynal


http://media.frnog.org/FRnOG_1/FRnOG_1-2.en.pdf

? ARP Vulnerabilities, MISC – French security magazine,


http://www.miscmag.com

? ARP vulnerabilities and attacks by Mike Beekey

www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01-Mike-
Beekey.ppt

? Legions of the underground issue, http://www.legions.org/kv/kv7.txt

? Measures to prevent security attacks in TCP/IP draft


http://www.ietf.org/internet-drafts/drafts-dattathrani-tcp-ip-security-
01.htm

? R. Stevens, TCP/IP Illustrated, Vol.1

18