ARP spoofing principle, never connect to free WIFI at will! ! !

1. Analysis of ARP attack principles

1. What is ARP protocol?

ARP protocol is the abbreviation of "Address Resolution Protocol". In a local area network, what is actually transmitted in the network is a "frame", which contains the MAC address of the target host. In an Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how is this target MAC address obtained? It is obtained through the Address Resolution Protocol (ARP protocol). The so-called "address resolution" is the process in which the host converts the target IP address into the target MAC address before sending the frame.

This involves the OSI seven-layer model. The ARP protocol works at the second layer of the data link layer in the OSI seven-layer model. It does not use IP to communicate at this layer, but uses MAC addresses to communicate, and is transmitted in frames.

OSI seven-layer model:

1. Physical Layer
2. Data link layer (ARP protocol)
3. Network layer (the network layer uses IP addresses to communicate)
4. Transport Layer
5. Session Layer
6. Presentation Layer
7. Application Layer

2. The harm of ARP spoofing

ARP spoofing can cause chaos in the internal network, making some deceived computers unable to access the internal and external networks, making the gateway unable to communicate with the client normally, and can also intercept all network data packets. In fact, its harm is more than that. Generally speaking, we can avoid IP address conflicts through various methods and means, while the ARP protocol works at a lower level, is more hidden, and is difficult to detect. The system does not determine whether the ARP cache is correct or not, and cannot give prompts like IP address conflicts.

Software such as Network Law Enforcement Officer and Jusheng Network Manager can control the flow of the entire intranet, limit the speed and bandwidth, etc. They all use ARP spoofing to operate. A well-made ARP spoofing tool sends data packets more stably, and it is difficult to be discovered when stealing your account password and other sensitive information.

The above ARP spoofing is a common ARP spoofing, common harm, there are other harms,

For example: inserting malicious code into the entire intranet through ARP, targeting all Internet sites when the intranet host accesses the website; or phishing on the wireless network. Many people use free WiFi in public places such as train stations and airports. When they connect to these WIFIs and open phishing websites, they will download Trojans to their mobile phones to steal personal information, refresh advertising links, etc. In the past, there were very cheap routers that often popped up advertisements after use. These were all operated by ARP spoofing.

3. The principle of ARP spoofing

The principle of ARP spoofing is to forge one's own MAC address into the gateway address to deceive other hosts.

picture

When implementing a man-in-the-middle attack, attackers often consider methods such as ARP spoofing or DNS spoofing. The following uses common ARP spoofing as an example to introduce the principle of ARP spoofing.

Generally speaking, ARP spoofing does not prevent the network from communicating normally, but rather forwards the data flow reaching the gateway or host through the attacking host by impersonating the gateway or other host. By forwarding the traffic, the traffic can be controlled and viewed, thereby controlling the traffic or obtaining confidential information. The process of ARP spoofing the host is shown in the figure below:

picture

As shown in the figure above, when Host A and Host B communicate, if Host A does not find the MAC address of Host B in its ARP cache table (if it is found, it will not be broadcast), Host A will send an ARP broadcast to all computers in the entire LAN. After the broadcast, all computers in the entire LAN (that is, under the same switch) receive the broadcast data packet. At this time, Host C responds to Host A and deceives that I am Host B, and my MAC address is XX-XX-XX-XX-XX-XX. After receiving the address, Host A will re-update its cache table. When Host A communicates with Host B again, the data will be forwarded to the attacking host (Host C), and the data flow will be forwarded to Host B through Host C.

Of course, in the above process, host C may not forward data to host B at the end. In this case, it is a one-way ARP spoofing in ARP spoofing. One-way ARP spoofing generally does not affect host B, but two-way ARP spoofing will affect host B.

ARP spoofing is divided into three types in the teacher's explanation:

1) One-way ARP spoofing (my understanding is that one-way ARP spoofing does not forward traffic to the original target host)

2) Bidirectional ARP spoofing (My understanding is that bidirectional ARP spoofing will forward traffic to the original target host)

3) There are two types of one-way ARP spoofing and two-way ARP spoofing: spoofing gateway and spoofing host.

What is Bidirectional ARP Spoofing?

Answer: Let's take the above example as an example. If A wants to communicate with B normally, C tells A that he is B. C tells B that he is A. In this case, the ARP cache tables of A and B will be modified. In the future, the communication process is that A sends data to C, C sends data to B, B sends data to C, and B sends data to A.

What is an ARP spoofing gateway?

A: The above explanations are all about unidirectional ARP spoofing hosts, which is to deceive the intranet host into believing that the attacking machine is the target host, while ARP spoofing gateways is to deceive the intranet host into believing that the attacking machine is the gateway. The attacker first sends a broadcast packet from an intranet host to all intranet hosts and gateways under the current switch, telling them that I am the gateway. At this time, they update their ARP cache tables respectively, and will use the attacker's MAC address as the gateway. When other hosts in the intranet communicate with each other, they will first pass through the attacker's host, which is considered to be the gateway, and the data between them will be intercepted by the attacking host.

Necessary conditions for implementing ARP spoofing attacks:

1) First, the attacker needs to obtain an intranet host. If the ARP spoofing attack is launched from an external host, it will not work, because the external network connects to the internal network through the network layer IP, but ARP works at the data link layer. Therefore, the attacker needs to obtain an intranet host to launch an ARP spoofing attack.

2) The other party's intranet does not use ARP protection. At present, most companies do not use ARP protection.

Introduction to ARP protection methods:

Method 1: Configure on the router and switch to bind all ports, IP addresses, MAC addresses, and gateways. However, this method has a disadvantage: if the company is large, then when someone's computer IP address changes, it is necessary to change these configurations on the router and switch, which is too troublesome and tiring... Therefore, in general, the following are bound to several servers, and personal servers are not bound.

Method 2: The host itself binds its own IP and MAC address, and then binds the gateway's IP and MAC address. However, this method is troublesome for novice users who don't know computers, and they won't bind. And the disadvantage of this method is that it will make the computer become a static IP address, but now many computers automatically obtain IP through DHCP.

Supplement 1: Because enterprise ARP protection is difficult, security software has its own ARP firewall function. However, by default, 360 Security Guard does not enable the ARP firewall and needs to be enabled manually.

Supplement 2: Use the command arp -a to view the arp cache table

2. ARP Attack Prevention

Prevention strategies:

1. Do not log in to free WIFI at will. No one knows whether there are malicious attackers behind the free WIFI.

2. Use ARP binding to avoid ARP spoofing;

Manual static binding of IP and MAC address: Write a batch file named xx.bat and put it in "Windows → Start → Programs → Startup". This startup item will be executed every time the host is restarted. If you need it to take effect immediately, run this file directly or execute it in the command line. The contents of the batch file are as follows:

explain:

① Before binding, the ARP table is dynamic, but after binding it becomes static. Use arp -a to view

② Modify the IP and MAC addresses according to the specific situation. Use config to check first.

3. Open the ARP firewall of PC Manager or 360 Security Guard or Kingsoft Shell or Color Shadow ARP Firewall;

4. Use https protocol or other connections with confidentiality agreements to access the external network to avoid being scammed.

Reference documents for enterprise solutions to ARP attacks:

1.https://wenku.baidu.com/view/89772efb7e192279168884868762caaedd33bade.html

Explanation: Huawei's solution is to buy equipment and add authentication servers

2.https://wenku.baidu.com/view/55efed86f71fb7360b4c2e3f5727a5e9856a27cd.html

explain:

① The solution of Digital China is to divide WLAN on the switch router to solve the ARP broadcast storm problem in the intranet. To divide WLAN, you need to refer to the document and type commands to execute in the switch, but doing so in an enterprise will be very tiring, and there may be various situations where others need to change network cards, IP addresses, etc. This method is unrealistic! Therefore, we will choose to use DHCP Snooping and Bing Arp to combine the switch router to realize automatic dynamic binding when there is a DHCP server in the intranet.

② Ordinary switches do not have the function to prevent network segment scanning, but enterprise switches do.

③Note: The commands used in switch routing devices from different manufacturers may be different, but the methods and principles are the same.

Replenish:

① Many people say that ARP spoofing attack is a man-in-the-middle attack. This statement is not entirely correct. Man-in-the-middle attack should include ARP attack, because DNS spoofing, DHCP spoofing, etc. also belong to man-in-the-middle attack.

② Even if the above four prevention strategies are used, ARP spoofing cannot be completely prevented. It can only solve 60% of ARP attacks on personal computers. The current method that can completely solve ARP spoofing is to divide WLAN (local area network) on the switching and routing equipment, bind the gateway in the WLAN, and then bind the IP and MAC address of the host to isolate ARP broadcast. (Not easy to implement, it will tire the management staff)

③ The defensive effect of the security tool has been proven through experimental testing: the ARP firewall of the security tool is unreliable and cannot completely defend (of course, it is not completely useless, it can solve some ARP attacks, but it is still unreliable...)

This article is reprinted from the WeChat public account "Happy Programmer". You can follow it through the QR code below. To reprint this article, please contact the Happy Programmer public account.