Shulou(Shulou.com)06/01 Report--

This lesson focuses on arp protocol and arp spoofing, organized as follows:

ARP (Address Resolution Protocol) is an address resolution protocol. To put it bluntly: in IP Ethernet, when an upper layer protocol is about to send a packet, with the IP address of the node, ARP can provide the MAC address of the node. The OSI model divides the network work into seven layers, not directly dealing with each other, only through the interface (layre interface). The IP address is at layer 3, and the MAC address is at layer 2. When a packet occurs, the protocol first encapsulates the headers of layer 3 (IP address) and layer 2 (MAC address), but the protocol only knows the IP address of the destination node, does not know its physical address, and cannot span the second and third layers, so it has to use ARP services.

The ARP text field has a total of 28 bytes.

1. Hardware type: 2 bytes, indicating the type of network on which ARP is implemented.

A value of 1: indicates Ethernet.

two。 Protocol type: 2 bytes represents the type of protocol address to be mapped.

IP:0800

3. Hardware address length: 1 byte, indicating the MAC address length, with a value of 6 bytes.

4. Protocol address length: 1 byte, indicating the IP address length, where the value is 4 bytes

5. Operation type: 2 bytes, indicating the ARP packet type.

A value of 1 indicates an ARP request.

A value of 2 indicates an ARP reply.

6. Source MAC address: 6 bytes, indicating the sender MAC address

7. Source IP address: 4 bytes, indicating the sender IP address

8. Destination Ethernet address: 6 bytes, indicating the MAC physical address of the target device

9. Destination IP address: 4 bytes, indicating the IP address of the target device.

Note: in the ARP operation, the length of valid data is 28 bytes, which is not enough for the minimum length of 46 bytes. The minimum length of padding bytes is 18 bytes.

The working process of ARP protocol:

1. Principle: (ARP protocol is only used in local area network)

1 > in a local area network, what is actually transmitted in the network is a "frame" in which there is the MAC address of the target host.

2 > in Ethernet, one host must know the MAC address of the target host in order to communicate directly with another host. But how do you get this target MAC address? It is obtained through the address resolution protocol. The so-called "address resolution" is the process that the host translates the destination IP address to the destination MAC address before sending the frame.

3 > the basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth progress of the communication.

4 > Point-to-point connections do not require ARP protocol

two。 Working process:

1 > when host A sends an IP Datagram to a host B on the local local area network, it first checks its ARP buffer table to see if there is an IP address of host B.

2 > if so, you can find out the corresponding hardware address, write the hardware address to the MAC frame, and then send the packet to the destination host over Ethernet.

3 > if the table entry of the IP address of host B is not found. It may be that host B has just entered the network, or host A has just been powered on. The cache table is still empty. In this case, host An automatically runs ARP.

(1) the ARP process broadcasts an ARP request packet on the local local area network. The main content of ARP request packet is to show that my IP address is 192.168.0.2 and my hardware address is 00-00-C0-15-AD-18. I want to know the hardware address of the host whose IP address is 192.168.0.4.

(2) ARP operations running on all hosts on this LAN receive this ARP request packet.

(3) when host B sees its own IP address in the ARP request packet, it sends the ARP response packet to host An and writes its own hardware address. All other hosts ignore this ARP request packet. The main content of the ARP response packet is to say: "my IP address is 192.168.0.4, my hardware address is 08-00-2B-00-EE-AA." Please note that although the ARP request packet is broadcast, the ARP response packet is a normal unicast, that is, sent from a source address to a destination address.

(4) after host A receives the ARP response packet of host B, it writes the mapping of host B's IP address to hardware address in its ARP cache table.

4 > the kernel broadcasts ARP, and the destination MAC address is FF-FF-FF-FF-FF-FF,ARP command type REQUEST (1), which contains its own MAC address.

5 > when the 192.168.1.2 host receives the ARP request, it sends an ARP REPLY (2) command, which contains its own MAC address.

6 > obtain the IP-MAC address correspondence of 192.168.1.2 host locally and save it in ARP cache.

7 > the kernel will convert the IP into an MAC address, then encapsulate it in the Ethernet header structure, and then send the data out.

4. Special circumstances:

ARP is to solve the mapping problem between the IP address and the hardware address of the host or router on the same LAN. If the target device you are looking for and the source host are not on the same LAN.

1 > at this point, host A cannot resolve the hardware address of host B (in fact, host A does not need to know the hardware address of remote host B)

2 > what host A needs at this time is to parse the IP address of router R1 and send the IP Datagram to router R1.

3 > R1 finds the next-hop router R2 from the routing table and uses ARP to resolve the hardware address of R2. The IP Datagram is forwarded to router R2 according to the hardware address of router R2.

4 > Router R2 parses the hardware address of destination host B in a similar way when forwarding the IP Datagram, so that the IP Datagram is finally delivered to the host.

There are two kinds of ARP spoofing, one is two-way deception, the other is one-way deception:

1. One-way deception

The address of An is: IP:192.168.10.1 MAC: AA-AA-AA-AA-AA-AA

The address of B is: IP:192.168.10.2 MAC: BB-BB-BB-BB-BB-BB

The address of C is: IP:192.168.10.3 MAC: CC-CC-CC-CC-CC-CC

Communicate between An and C. But at this point B sends a fake ARP reply to A, and the data in this reply is that the sender's IP address is 192.168.10.3 (C's IP address), and the MAC address is BB-BB-BB-BB-BB-BB (C's MAC address is supposed to be CC-CC-CC-CC-CC-CC, which is forged here). When A receives a bogus ARP reply from B, it updates the local ARP cache (An is cheated), and B pretends to be C. At the same time, B also sends an ARP reply to C, the sender's IP address 4192.168.10.1 (A's IP address) in the reply packet, and the MAC address is BB-BB-BB-BB-BB-BB (A's MAC address should be AA-AA-AA-AA-AA-AA). When C receives B's fake ARP reply, it will also update the local ARP cache (C is also cheated), and B pretends to be A. In this way, hosts An and C are deceived by host B, and the data communicated between An and C passes through B. Host B knows exactly what they are talking about:). This is a typical ARP spoofing process.

Cut off the communication between An and c, the realization principle: B sends an ARP packet to A, the content is: the address of c is 00RV 0000RV 00RV 00 (a wrong address), then all packets sent by A to c will be sent to 00, and this address is wrong, so the communication is interrupted, but note that only A-> c is interrupted, c-- > An is not interrupted, so this is called one-way cheating.

Cut off the communication between c and A, the realization principle is the same as the first, if sent together with the first, then the communication between An and c will be completely interrupted, that is: a / c.

The realization principle of sniffing the communication between An and c is as follows: B sends an ARP packet to A, the content is: the address of c is AA:BB:CC:DD:EE:FF (b's own address), that is to say, b says to A: I am c, so A sends all the data sent to c to b, b can do whatever he wants when b gets the data, you can discard it directly, then the communication is interrupted, and it can be forwarded to c again. Then a loop is formed, and B acts as a middleman to monitor the communication between An and C. At this point, you can use any packet grabbing tool such as CAIN for local sniffing.

2.ARP two-way deception principle

A wants to communicate with C normally, and B tells A that I am C. B says to C that I am A, so in this case, modify all the ARP cache tables of An and C. Later, the communication process is that A sends the data to BMagol B and sends the data to C Magi C and BMagol B sends the data to A.

* the host sends ARP reply packets to the * host and the gateway. They modify their ARP cache table to all the MAC addresses of the * host, so that the data between them is intercepted by the * host.

3. The difference between two-way deception and one-way deception

One-way spoofing: refers to the spoofing gateway, there are three machines A (gateway) B (server) C (server). A needs to communicate with C normally. B tells A that I am C, then A gives the data to C, and A gives B the data originally given to C, and A modifies the local cache table, but the communication between C and An is still normal. It's just that the communication between An and C is abnormal.

Two-way deception: it deceives the gateway and the two machines, A (gateway) B (server) C (server), A wants to communicate with C normally. B tells A that I am C server B and C that I am A, so in this case, the ARP cache tables of An and C are all modified, and all the data sent is sent to B.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.