Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

What is the principle of arp deception? How is arp deception done?

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

I believe that many novice white arp deception principle and arp deception protection understanding in a ignorant state, through the summary of this article, I hope you can gain something. The following information is about arp fraud.

arp spoofing principle simple description of host communication

PC1 and PC2 are on the same network segment, PC2 wants to communicate with PC1, because of Ethernet communication mechanism, PC2 needs to know the mac address of PC1 first, and communicate with PC1 through mac address. PC2 will first look up the mac corresponding to 192.168.20.11 through its arp table, as follows:

Arp table for PC1:

PC2 arp table:

We can see that PC2 does not have the record of 192.168.20.11. At this time, PC2 asks the whole network who has ip 192.168.20.11 through arp broadcast. After receiving this broadcast, PC1 finds that it is to request mac of 192.168.20.11. This ip is its own ip. It responds to PC2 with a packet telling PC2 mac of 192.168.20.11. Since the arp broadcast sent by PC2 already carries mac of PC2, PC1 will record the arp information of PC2 in its arp table at this time, as follows:

PC1 arp table:

PC2 arp table:

PC1 and PC2 can communicate.

How does ARP cheat?

ARP is a fragile protocol, as long as PC2 can receive ARP response packet will update its ARP table, PC2 is unable to verify whether this ARP response packet really comes from PC1. If PC3 keeps sending arp packets to PC2, telling PC2 that I am 192.168.20.11, PC2 will keep updating its arp table with an incorrect arp record.

You can use the arpspoof command on PC3 to send arp response packets to PC2 non-stop.

arpspoof -i eth2 -t 192.168.20.12 192.168.20.11

Check PC2's arp table:

You can see that the mac corresponding to 192.168.20.11 is the same as the mac corresponding to 192.168.20.9. 08-00-27-37-7b-cc This mac is PC3.

So when PC2 sends data to PC1, it sends it to PC3. Pinging PC1 on PC2 is not possible.

The reason why ping failed is because PC3 does not have the IP 192.168.20.11, PC2 sent packets to 192.168.20.11, PC3 of course will be discarded.

Add ip 192.168.20.11 on eth2 of PC3

ip add add dev eth2 192.168.20.11/24

Then ping 192.168.20.11 on PC3 to get through.

But that doesn't work for a malicious man. Because PC2 is the resource to access PC1. PC3 is usually unable to provide these resources unless PC3 is well aware of PC1's resources and can successfully clone a copy so that PC2 does not suspect it. Even cheaper, PC3 hijacks traffic from PC1 to PC2.

arpspoof -i eth2 -t 192.168.20.11 192.168.20.12

Before executing the above command, you need to use the following command to unbind 192.168.20.11 on eth2 of PC3

ip add del dev eth2 192.168.20.11/24

This way PC3 supports traffic from PC1 to PC2. PC2 does not ping PC1. This is because traffic from PC1 and PC2 goes to PC3, but the destination of these traffic is not PC3, and PC3 will discard it. IP forwarding can be enabled on PC3 to forward traffic from both parties. After PC3 enables IP forwarding, PC3 is equivalent to a router and can forward traffic whose destination address is not its own.

echo 1 > /proc/sys/net/ipv4/ip_forward

At this time, PC2 and PC1 can communicate normally, and all traffic will pass through PC3, and PC3 can perform traffic analysis such as packet capture. If the communication between PC2 and PC1 contains clear user names and passwords, these user names and passwords will be known by PC3.

Arp spoofing protection

There aren't many ways to protect against arp spoofing, but there are three.

Use DAI switch, such switch can solve arp spoofing use static arp record, arp broadcast is arp record is dynamic, static arp record can be manually set

Linux usage: arp -s ip mac

Windows uses:

arp -s ip mac

This method does not apply to cases where there are many hosts.

Use arp firewall, such as xarp (xarp seems to identify arp spoofing by detecting mac changes, note that xarp is installed after PC2 has suffered arp spoofing, xarp does not detect arp spoofing, but after removing arp spoofing on PC1 and PC2 on PC3, pingPC1 on PC2, xarp detects arp spoofing, and detects correct mac, because xarp is confirmed by detecting mac changes) arp spoofing detection

Arp deception is still a little strong

Arping can be used in Linux:

You can see that except for the first one, the ones behind are PC3 mac, arping is also not easy to find when detecting. But there are still two different mac, which can be suspected of arp fraud.

You can also confirm the package:

As in the case above, there are consecutive identical arp response packets, and there is reason to suspect that arp spoofed them. Some arp detection software, such as: arpwatch

Arpwatch is an arp tool for linux that monitors arp changes. This tool tracks arp changes by analyzing traffic and sending emails. This tool is not effective in networks using switches, because in networks using switches, switch ports cannot receive the entire network traffic, so arpwatch cannot monitor arp changes throughout the network, but this tool is installed locally to monitor arp changes, which plays the role of arp firewall. After reading the above, do you have any further understanding of arp deception? If you still want to learn more skills or want to know more about related content, welcome to pay attention to the industry information channel, thank you for reading.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report