Note: This article is for technical communication only. Do not use it for malicious purposes.

At ordinary times, we all like to connect to public free WIFI. In fact, public WIFI is very dangerous, because hackers can connect to public WIFI and then use ARP spoofing attacks to obtain all your online data. This article mainly introduces how to use ARP spoofing to invade public WIFI, so that we know the danger of using public WIFI.

The Process of surfing the Internet

Generally speaking, we need to connect wireless router (WIFI) when using mobile phone to surf the Internet, as shown below:

As can be seen from the above picture, we all need to be connected to a router to access the Internet, and all data needs to pass through a router.

So how does a phone send data through a router?

To send data to the Internet, phones need to package the data into Ethernet frames, and then send the Ethernet frame to a router. The router receives the Ethernet frame and sends it out. An Ethernet frame consists of an Ethernet header and a data part, as shown below:

As shown in the figure, the Header of an Ethernet protocol consists of the source MAC address, target MAC address, and upper-layer protocol type. A MAC address is the physical address of the network interface of a machine (mobile phone). For example, the mobile phone can be viewed from the WLAN information, as shown in the following figure:

The source MAC address is the MAC address of our phone, and the destination MAC address is the MAC address of our router. As shown below:

However, generally speaking, the MAC address of a router is unknown, and ARP is used to obtain the MAC address of a router. The FUNCTION of ARP is to obtain the MAC address from the IP address of the target machine. Therefore, we only need to know the IP address of the router to obtain the MAC address through ARP.

The ARP protocol was introduced in a previous article: THE ARP protocol, so I will not cover it here.

ARP spoofing principle

As can be seen from the above analysis, mobile phones need to connect to the router first, and then package the packets to be sent into Ethernet frames, which are then sent to the router.

An Ethernet frame needs to know the MAC address of a router, but usually only the IP address of the router is known (usually the IP address of the router is 192.168.1.1). Therefore, an IP address needs to be translated into a MAC address through ARP.

ARP spoofing converts the IP address of the router into the MAC address of the middleman machine by using ARP, as shown in the following figure:

As can be seen from the figure above, Computer A sends an ARP message to phone A, telling it that the MAC address of the IP address 192.168.1.1 is AE:12:BD:8C:92, which is also the MAC address of computer A.

In this way, mobile PHONE A mistakenly thinks that the MAC address of the router is AE:12:BD:8C:92, so every time it sends data to the Internet, it needs to send data to computer A first, and computer A becomes A middleman, so this attack is also called man-in-the-middle attack. The data flow is shown as follows:

In this way, computer A can intercept all the data sent by phone A. After computer A intercepts the data of mobile phone A, it can modify the data sent by mobile phone A to achieve the effect of attack. Just think about it. If you change the recipient’s account to the attacker’s account when using Alipay, the money will be transferred to the attacker’s account.

ARP spoofing experiment

Originally I wanted to write a program to implement ARP spoofing attack, but this may lead to this article becomes boring, so here directly use the open source ARP spoofing tool to do the experiment, this tool is arpspoof, download address: github.com/alandau/arp…

First, we download arpspoof to the machine, then confirm the IP address of the target machine, such as 192.168.1.13, and then use arpspoof to start the attack, as follows:

A: 192.168.1.13 considerations victim and target. Redirecting 192.168.1.13 (00:11:22:33:44:55) --> 192.168.1.1 (AE:12:BD:8C:92) and in the other direction Press Ctrl+C to stopCopy the code

Seeing the output above shows that arpspoof has started working.

Then, we opened wireshark packet capture attack to check the Internet access data packets of mobile phone A, as shown in the following figure:

As you can see from the results of the packet capture tool, packets with IP address 192.168.1.13 pass through our machine, and minor modifications to these packets may cause serious problems.

Therefore, using public WIFI is a very dangerous behavior, with the following risks:

  • Divulge account passwords.

  • Data may be maliciously modified.

  • Receive strange messages (eg advertisements).

So how do you stop the problem? It’s very simple, just use your mobile card data to surf the Internet (laughs…) .

Actually, besides the middle attack, ARP cheating to connect all of the same router machine also can’t get to the Internet, it is through the ARP deception to the router’s IP address mapping to a non-existent MAC address, it will lead to network machine because the data is sent to there is no router and packet loss, which leads to its can’t surf the Internet.

conclusion

This article mainly uses the attack method of ARP spoofing to explain that using public WIFI is a dangerous behavior, so you’d better not use mobile payment when using public WIFI, otherwise you may get stolen account numbers or money.

Of course, after reading this article do not do malicious use, otherwise the consequences (of course, do malicious use also need some technical content).