I. Purpose of the experiment
-
Master ARP spoofing attacks
-
Master the whole process of ARP spoofing attacks
-
Learn how to prevent ARP spoofing
2. Experimental environment
-
System environment: Windows, KAIL, and XP
-
Software tools: packEth
Three, the experimental principle
ARP cache
1. There is an ARP cache table in each COMPUTER installed with TCP/IP protocol, and the IP address and MAC address in the table are one by one corresponding, as shown in the figure below is the ARP cache table of Window7 host:
In the ARP cache table shown in the preceding figure, the MAPPED MAC address of IP address 192.168.70.129 is 00-50-56-2B-68-41. The following uses IP address X(192.168.70.129) to send data to host Y (192.168.70.134) as an example to illustrate the ARP process.
When host X sends data, it looks for host Y’s IP address in its ARP cache table. If found, also know the MAC address of the host Y, directly write the target MAC address into the packet to send it; If the IP address of host Y is not found in the ARP cache table, host X sends a broadcast over the network with the destination MAC address “FF-FF-FF-FF-FF-FF”. This means that all hosts in the same network segment are asked: What is the MAC address of 192.168.70.129? The MAC address of 192.168.70.129 is 00-50-56-2B-68-41. Host Y responds to host X only when it receives the packet. In this way, host X knows the MAC address of host Y and can send a message to host Y. It also updates its ARP cache table. Next time it sends a message to host Y, it can directly look up the ARP cache table. The ARP cache table uses the aging mechanism. If a row in the ARP cache table is not used in a period of time, it will be deleted. This greatly reduces the length of the ARP cache table and speeds up query.
2. Definition of ARP spoofing
The fatal flaw of ARP is that it does not have any authentication mechanism. When someone requests a MAC address, anyone can reply with the MAC address and the response is considered legitimate. ARP does not receive ARP replies only after an ARP request is sent. When receiving ARP reply packets, the host updates the ARP cache of the host and stores the IP and MAC addresses in the ARP cache table. In addition, packets in the LAN are transmitted according to MAC addresses rather than IP addresses. All ARP spoofing on the host becomes possible.
3. Common ARP commands:
arp -a
Use to view all items in the cache table
arp -a ip
Only cache table items containing the specified IP address are displayed
arp -s ip mac
Adds a static directory to the ARP cache table. This item remains in effect during computer startup
arp -d ip
Delete static entries from the ARP cache table
4. Experimental steps
PC2 performs ARP spoofing attacks on PC1. The target is to change the GATEWAY MAC address in PC1’s cache table to AA: AA :aa:aa: AA: AA. PC1 cannot access the Internet
** Before update: ** The PC1 cache table is shown in the following figure. Gateway IP: 192.168.70.2 The corresponding MAC address is 00-50-56-e5-D2-ff
PC1 can access the Internet normally, as shown in the following figure:
Open Windows7 packEth compressed package decompression into a folder, find packeth.exe file double-click open
Open packeth. exe file, select the second network card, and select ARP Packet mode
Sender IP and MAC Enter the real IP address of the gateway and change the MAC address to AA: AA: AA: AA: AA: AA to achieve spoofing effect. Select Arp packet and Arp Reply packet. MAC Header Enter the real MAC address of the target (in this case, the MAC address of PC1) and the source MAC address enter the new MAC address (in this case, the MAC address of AA: AA: AA: AA: AA: AA). Then click Send to Send packets
The MAC address of the gateway is aa:aa:aa:aa:aa:aa :aa
At this point, we verified again whether PC1 could access the Internet normally, and found that PC1 could not access the Internet normally, as shown in the picture below:
PC2 sends a forged ARP reply packet to PC1. The sender IP address is 192.168.70.2 of the gateway. The mapped MAC address is aa: AA: AA: AA: AA: AA: AA (the gateway MAC address should have been 00-50-56-e5-D2-ff. At this point we have forged). When PC1 receives a forged ARP reply from PC2, it updates the local ARP cache table (PC1 does not know that the MAC has been forged), and PC1 does not know that the ARP reply packet was sent from PC2. In this way, all the packets sent by PC1 to the gateway are sent to PC2. PC1 was unaware of the change, but the next thing that happened made PC1 suspicious because it couldn’t access the Internet properly, because PC2 only received the data that PC1 sent to the gateway, but didn’t forward it to the gateway.
2.PC2 acts as themiddle man and performs ARP redirection. After the IP forwarding function is enabled, the packet sent from PC1 is forwarded to the gateway, just like a router. The gateway completely considers the packet sent from PC1. However, the packet sent by the gateway is directly transmitted to PC1, if the gateway ARP spoofing again, then PC2 will completely become the bridge between PC1 and the gateway, and the communication between PC1 and the gateway can be like the back of your hand (if you are monitored by ARP, think about it is not terrible).
Start the Kali virtual machine, open the terminal, and enter the command: ettercap -g as shown in the figure:
Before the man-in-the-middle attack, it is necessary to scan active hosts existing in the current LAN and confirm the target machine. Click Unified Sniffing to start sniffing, as shown in the picture below:
Select the current network card eth0 and click OK to enter sniffing, as shown below:
Click Hosts in the menu and select Scan for Hosts to Scan all Hosts with the same gateway as the host (KALI), as shown below:
Click the menu Hosts and select Host list to list all Hosts that interact with the gateway. The scanning results are as follows: 192.168.70.133 is the IP address of the Windows7 Host, and 192.169.70.2 is the gateway IP address
Next, select the attack Target, right-click the Windows Target IP address and click Add to Target 1, select the second attack Target IP address (gateway), right-click the gateway Target IP address and click Add to Target 2, as shown below:
Then determine the attack mode. Click Mitm and select ARP Posoning to adopt ARP spoofing attack mode, as shown in the following figure:
Check remote connections and click confirm button, as shown below:
Click menu Start and select Start Sniffing to start monitoring
In the Windows7 vm, open the CMD command control window and enter arp -a to check the arp cache table. The result shows that the MAC address of the gateway (192.168.70.2) is the same as that of the kali host, as shown in the following figure:
Return to the Windows7 virtual machine, open a browser to access a login interface, enter the login user name and password, and click confirm login, as shown below:
We have successfully obtained the user name and password of Windows7 host for accessing a website, as shown in the picture below:
V. ARP attack Defense:
1. Bidirectional binding: In small-scale networks, bidirectional binding is recommended, that is, ip-MAC binding on both routers and terminals. It can constrain both sides of ARP spoofing, gateway forgery, and data interception. This is a preventive measure based on the PRINCIPLE of ARP spoofing, and it is also the most commonly used method. It is effective against the most common ARP spoofing.
2.ARP firewall: The function of ARP firewall is added to some anti-virus software. It is a measure to protect data from being stolen by binding gateways on terminal computers to avoid the influence of fake gateways on the network. ARP firewalls are widely used, but there are problems, such as the inability to guarantee that the bound gateway is the right one. If ARP spoofing has occurred in a network and someone is forging a gateway, then ARP firewalls will bind the wrong gateway, which is a great risk.
3.VLAN and switch port binding: A common defense method is to bind vlans and switch ports to prevent ARP. In this way, vlans are carefully divided to reduce the range of broadcast domains so that ARP can be used in a small area without affecting a large area. In addition, some network management switches provide the MAC address learning function. After the learning is complete, disable the function to bind the corresponding MAC address to the port, preventing viruses from tampering with their own addresses using ARP attacks. In other words, the risk of intercepted data in ARP attacks is removed.