Shulou(Shulou.com)06/01 Report--

A simple description of host communication based on the principle of arp deception

As shown in the figure above, PC1 and PC2 are on the same network segment. PC2 wants to communicate with PC1. Due to the communication mechanism of Ethernet, PC2 needs to know the mac address of PC1 first and communicate with PC1 through mac address. PC2 will first look up the corresponding mac of 192.168.20.11 through its own arp table, as follows:

Arp table for PC1:

Arp table for PC2:

You can see that PC2 has no record of 192.168.20.11. At this time, PC2 asked the whole network through the arp broadcast who had ip 192.168.20.11. After receiving this broadcast, PC1 found that it was going to request the mac of 192.168.20.11. This ip was its own ip, responding to PC2 in response to a packet telling PC2 192.168.20.11 mac, because the arp broadcast sent by PC2 already carried the mac of PC2. At this time, PC1 records the arp information of PC2 in its own arp table. The following is the arp table after pingPC1 in PC2:

Arp table for PC1:

Arp table for PC2:

PC1 and PC2 can communicate at this point.

How is arp deception done?

Arp is a fragile protocol. As long as PC2 receives the arp reply packet, it will update its arp table. PC2 is unable to verify whether the arp reply packet really comes from PC1. At this point, if PC3 keeps sending arp reply packets to PC2, telling PC2 that I am 192.168.20.11 MagnePC2 will constantly update its arp table and have an incorrect arp record.

You can use the arpspoof command on PC3 to continuously send arp reply packets to PC2.

Arpspoof-I eth2-t 192.168.20.12 192.168.20.11

At this point, view the arp table of PC2:

You can see that the corresponding mac of 192.168.20.11 is the same as the mac of 192.168.20.9, and the mac of 08-00-27-37-7b-cc is PC3.

In this way, when PC2 sends data to PC1, it will be sent to PC3. Ping PC1 doesn't work on PC2 at this time.

The reason why ping does not work is that there is no 192.168.20.11 ip,PC2 packet sent to 192.168.20.11 on PC3, and PC3 will of course discard it.

Add ip 192.168.20.11 to the eth2 of PC3

Ip add add dev eth2 192.168.20.11/24

Then go to ping 192.168.20.11 on PC3 and you can ping.

But doing so is of no use to a malicious person. Because PC2 is a resource that accesses PC1. PC3 usually cannot provide these resources unless PC3 is well aware of PC1's resources and can successfully clone a copy so that PC2 will not doubt it. More cheaply, PC3 hijacks PC1-to-PC2 traffic.

Arpspoof-I eth2-t 192.168.20.11 192.168.20.12

Before executing the above command, you need to unbind 192.168.20.11 on PC3's eth2 with the following command

Ip add del dev eth2 192.168.20.11/24

In this way, PC3 also supports PC1-to-PC2 traffic. However, this entry into PC2 still does not allow ping to PC1. This is because the traffic from PC1 and PC2 has reached PC3, but none of these traffic destinations will be discarded by PC3,PC3. You can enable ip forwarding on PC3 to forward the traffic of both parties. When PC3 enables ip forwarding, PC3 is equivalent to a route and can forward traffic whose destination address is not your own.

Echo 1 > / proc/sys/net/ipv4/ip_forward

At this point, PC2 and PC1 can communicate normally, and all traffic will pass through PC3,PC3 for packet grabbing and other traffic analysis. If the communication between PC2 and PC1 contains clear text usernames and passwords, these usernames and passwords will be known by PC3.

Arp spoofing protection

Inquiry on the Internet, there are not many ways to protect against arp fraud, there are three ways.

Using switching with DAI function, this kind of switch can solve arp spoofing and use static arp records. Arp broadcasts get arp records that are dynamic, and static arp records can be set manually.

Linux uses: arp-s ip mac

Windows uses:

Arp-s ip mac

This method is not applicable to many situations of the host.

Use an arp firewall, such as xarp (xarp seems to identify arp spoofing by detecting changes in mac, note that xarp,xarp is installed after PC2 has been deceived by arp and does not detect arp spoofing, but after canceling arp spoofing of PC1 and PC2 on PC3, pingPC1,xarp detects arp spoofing on PC2, and the correct mac is detected, because visible xarp confirms mac spoofing by detecting changes in mac. ) Detection of arp spoofing

The concealment of arp deception is still a little strong.

You can use arping detection in linux:

You can see that in addition to the first item, the mac,arping behind all PC3 is not easy to find when testing. However, there are still two different mac, and it can be suspected that there is arp cheating.

You can also grab the bag to confirm:

As in the picture above, there is a continuous arp response package, and there is reason to suspect that it has been deceived by arp. Some arp detection software, such as arpwatch

Arpwatch is an arp tool under linux to monitor changes in arp. This tool tracks changes in arp through analysis of traffic and sends emails. This tool is not very effective in the network using the switch, because in the network using the switch, the switch port can not receive the entire network traffic, so arpwatch cannot monitor the arp changes of the whole network, but it is possible for this tool to be installed locally to monitor arp changes, so it acts as an arp firewall.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.