Shulou(Shulou.com)06/01 Report--

1:arp communication protocol process

Because network traffic in a local area network is not based on IP addresses, but on MAC addresses, computers identify a machine based on mac.

If A in LAN wants to send a message to host B, it will query the local ARP cache table, and after finding the MAC address corresponding to B's IP address, it will perform data transmission. If not found, then A broadcasts an ARP request message (carrying the IP address of host B), all hosts on the network including B receive ARP requests, but only host B identifies its own IP address, so it sends an ARP response message back to host A. This includes B's MAC address, and A updates its local ARP cache after receiving B's response. Data is then sent using this MAC address (attached by the NIC).

Two: a complete arp deception

Arp deception is divided into two types, one is two-way deception, the other is one-way deception:

1. one-way deception

A's address is: IP: 192.168.10.1 MAC: AA-AA-AA-AA

B's address is: IP: 192.168.10.2 MAC: BB-BB-BB-BB

The address of C is: IP: 192.168.10.3 MAC: CC-CC-CC-CC-CC-CC

Communication between A and C. However, B sends A a forged ARP reply, and the data in this reply is that the IP address of the sender is 192.168.10.3 (C's IP address), and the MAC address is BB-BB-BB-BB-BB-BB (C's MAC address should have been CC-CC-CC-CC, but it was forged here). When A receives B's forged ARP reply, it updates its local ARP cache (A has been spoofed), and B masquerades as C. At the same time, B also sends an ARP reply to C. The IP address of the sender in the reply packet is 192.168.10.1 (the IP address of A), and the MAC address is BB-BB-BB-BB-BB-BB (the MAC address of A should have been AA-AA-AA-AA). When C receives B's forged ARP reply, it will also update the local ARP cache (C has also been spoofed). At this time, B will pretend to be A. In this way, both hosts A and C are deceived by host B, and the data communicated between A and C passes through B. Host B knows exactly what they say between them: ). This is the typical ARP spoofing process.

Cut off the communication between A and c, the implementation principle: b sends an Arp data packet to A, the content is: c address is 00:00:00:00 (an incorrect address), then A will send the data packet to c to 00, and this address is incorrect, so the communication is interrupted, but pay attention, here is only A --> c interrupted, c --> A did not interrupt, so this is called one-way deception.

Cut off the communication between c and A, the principle is the same as the first article, if sent together with the first article, then the communication between A and c is completely interrupted, namely: A c.

Sniff A and c communication, implementation principle: b sends an Arp data packet to A, the content is: c address is AA:BB:CC:DD:EE:FF (b's own address), that is, b says to A: I am c, so A sends the data sent to c to b, b can do whatever he wants after getting the data, can directly discard it, then the communication is interrupted, can also be forwarded to c again, then form a loop, B becomes a middleman, monitor A and c communication. At this point you can use CAIN and other tools to capture any local sniffing.

2. arp two-way deception principle

A wants to communicate normally with C, B says to A that I am C. B says to C that I am A, so in this case the arp cache tables of A and C are all modified. The communication process is that A sends data to B,B sends data to C, C sends data to B, B sends data to A.

*** The host sends ARP reply packets to the *** host and gateway, which respectively modify their ARP cache tables to the MAC addresses of all *** hosts, so that the data between them is intercepted by the *** host.

3: The difference between two-way deception and one-way deception

One-way spoofing: refers to spoofing gateways, there are three machines A(gateway) B(server) C(server). A wants to communicate with C normally. B tells A that I am C, and A gives B the data originally given to C. A modifies the local cache table, but C communicates with A normally. It's just that communication between A and C isn't normal.

Two-way spoofing: It is a spoofing gateway and two machines that are ***,A(gateway) B(server) C(server),A wants to communicate normally with C.B says I am C to A, B says I am A to C, then in this case, the arp cache table of A and C is all modified, and all the data sent is sent to B.

Four: find arp spoofing host

1. We can use Arpkiller's Sniffer Killer to scan the IP segment of the entire local area network, and then look for computers in "promiscuous" mode to find each other. After the detection is completed, if the corresponding IP is a green hat icon, it means that the IP is in normal mode, and if it is a red hat, it means that the NIC is in miscellaneous mode. That's our target, and that's the guy who's using the Internet. Marshals are messing around.

2. On any of the affected hosts, run tracert from a DOS command window: tracert 61.135.179.148. Assuming that the default gateway is set to 10.8.6.1, when tracking an external network address, the first hop is 10.8.6.186, so 10.8.6.186 is the virus source. Principle: Poisoned hosts act as "middlemen" between affected hosts and gateways. All packets that should have arrived at the gateway were sent to the poisoned host due to the wrong MAC address. At this point, the poisoning host took over and played the role of default gateway.

V. Protective measures

1. The most common method is to do double binding, local and routing are bound (note:mac address binding)

2. Colored Shadow ARP Firewall

VI.*** Commonly used sniffing techniques to break through Arp firewalls, the process is as follows:

The principle of breaking Arp firewall is to keep sending packets to the gateway (dozens of times per second), saying to the gateway that I am a real machine, and avoiding other machines posing as this machine. (For example, the target machine is A and you are B. You say to the gateway that I am only A), because the frequency of your transmission is high, so in a very short period of time, the gateway thinks that you are the victim machine, So, the normal data packet of the target machine is sent.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.