ARP protocol analysis (An Analysis of ARP Protocol)
ARP (Address Resolution Protocol) address resolution protocol is used to convert a computer's network address (IP address 32 bits) to physical addresses (MAC address 48 bits) [RFC 826]. The ARP protocol is a protocol that belongs to the link layer. It is determined according to the 48-bit Ethernet address (hardware address) in the Ethernet's data frame to determine the interface according to the 48-bit Ethernet address (hardware address), not according to 32 bits. IP address. The kernel (such as driver) must know the hardware address of the destination to send data. Of course, the connection point connection does not require the ARP protocol.
ARP protocol data structure: typedef struct arphdr {unsigned short arp_hrd; / * hardware type * / unsigned short arp_pro; / * protocol type * / unsigned char Arp_hln; / * Hardware address length * / unsigned char ARP_PLN; / * Protocol address length * / Unsigned short arp_op; / * ARP operation type * /
Unsigned char Arp_sha [6]; / * Hardware address * / unsigned long arp_spa; / * sender's protocol address * / unsigned char Arp_tha [6]; / * Hardware address * / * / * Agreement address of the target * /} arphdr, * parphdr;
To explain the role of the ARP protocol, it is necessary to understand the transmission process on the network. Here is a simple ping example. Suppose our computer IP address is 192.168.1.1, to execute this command: ping 192.168.1.2. This command sends an ICMP packet through the ICMP protocol. The process needs to pass through the following steps: 1, the application constructs the packet, which is generated to generate an ICMP package, submitted to the kernel (network driver); 2, the kernel checks if the IP address is MAC address, that is View IP-MAC correspondence tables in the local ARP cache; 3, if there is the IP-MAC correspondence, skip to step 9; if there is no corresponding relationship with the IP-MAC, then the following steps; 4, the kernel performs ARP Broadcast, the MAC address of the destination is the FF-FF-FF-FF-FF-FF. The ARP command type is Request (1), which contains its own MAC address; 5, when the 192.168.1.2 host receives the ARP request Just send an ARP's reply (2) command, which contains its own MAC address; 6. Locally obtains the IP-MAC address corresponding relationship of 192.168.1.2 host, and saves it to the ARP cache; 7, the core will convert IP to The MAC address is then packaged in the Ethernet head structure, and then send the data out;
Use the arp -a command to view the local ARP cache content, so after executing a local ping command, the ARP cache has a record of the destination IP. Of course, if your packet is sent to the destination of different network segments, then there must be a record corresponding to the IP-MAC address of a gateway.
Knowing the role of the ARP protocol, you can clearly know that outlet transmission of packets rely on ARP protocol, of course, is dependent on ARP cache. To know, all the operations of the ARP protocol are automated, and there is no relationship with other applications. At the same time, it should be noted that the ARP protocol is only used in this network. The Utilization and Related Principles of the ARP protocol.
First, the sniffing of the network
The ARP protocol is not only received by ARP requests. When the computer receives the ARP response packet, the local ARP cache is updated, and the IP and MAC addresses in the response are stored in the ARP cache. Therefore, in the above hypothetical network, b is sent to A, and the data in this response is the sender IP address is 192.168.10.3 (the IP address of C), the MAC address is DD-DD-DD -DD-DD-DD (C) The MAC address should be CC-CC-CC-CC-CC-CC, which is forged here). When A receives b Forgery ARP response, the local ARP cache will be updated, replace the local IP-MAC correspondence table to the received data format, because all the system kernel is automatically completed, A can not know Paten it.
The main purpose of ARP spoof is to perform sniffing in the switching network. The sniffing of the switching network is not discussed herein.
Second, IP address conflict
We know that if there is a host of the same IP address in the network, a warning for the IP address conflict will be reported. How did this result?
For example, a host B specifies that the IP address is 192.168.0.1. If it is in power-on, then other machine A changes the IP address to 192.168.0.1 will cause the IP address conflict. The principle is: Host A will send an ARP package to the network to broadcast your IP address to the network when connecting to the network (or change IP address), which is Free ARP. If there is a host B where the same IP address is present, then B will reply to reply via ARP. When A receives this reply, a warning of the IP address conflict will, of course B will also have a warning.
So use ARP spoofs to fake this ARP Reply to make the target have been troubled by the IP address conflict warning.
Third, block the target's packet through the gateway
For example, in a local area network through the gateway, the gateway IP-MAC corresponds to the gateway IP-MAC in the ARP cache on the external computer. If the record is changed, then the computer sent outwardly transmits to the wrong gateway hardware address, so that the computer is not accessible.
It is also mainly based on ARP spoofing. There are two ways to achieve this.
1. Send a forged ARP response packet to the target, where the sender's IP address is the address of the gateway, and the MAC address is a forged address. When the target receives the ARP package, you update your own ARP cache. If the spoof continues, the target's gateway cache has always been a fake error record. Of course, if some people know that people view arp -a, they know the problem.
2, this method is very embarrassed, deceive the gateway. Send a forged ARP response packet to the gateway, where the sender's IP address is the target's IP address, and the MAC address is a forged address. In this way, the target ARP record on the gateway is an error, and the datagram that the gateway sends to the target is a MAC address that uses an error. In this case, the target can send data to the gateway, but no data from the gateway. At the same time, the target you can see Arp -a but can't see any problems.
Fourth, detect mixed mode nodes via ARP
In the mixed mode, the NIC is filtered different from normal mode. Originally in normal mode, only local address data packets or broadcasts (multicast, etc.) will be submitted to the system by the network card, otherwise, these packets are directly abandoned by the NIC. Now, the mixed mode allows all passed packets to the system core and then be used by Sniffer and other programs. By specially designed ARP requests can be used to sense nodes in a mixed mode to a certain extent, such as the ARP request for the FF-FF-FF-FF-FE to send MAC addresses for each node in the network. This is not a broadcast address (FF-FF-FF-FF-FF), so the node in normal mode will directly discard the data package, but most operating system cores think this is a broadcast address. If there is a general SNIFFER program exists, and set the network card as a mixed mode, the system core will make a response, so it can be judged whether or not there is a sniffer in these nodes. You can view, many ARP-based attacks are achieved by ARP spoof. As for ARP deception, or use static ARP as much as possible. For WIN, use ARP -S to make static ARP settings. Of course, if you can completely use static IP MAC, it is better because static ARP cache is only relative.
Of course, there can be some ways to implement ARP spoof detection. Set an ARP sniffer, which maintains a static correspondence table of an IP-MAC address of a local network, view all passed ARP data, and check the IP-MAC correspondence, if the captured IP-Mac correspondence and The static correspondence of maintenance is not, then it is shown to be a deceived ARP packet.
An ARP packet sends a program source code and compiled EXE programs to refer to the Arpsender program. Note: You need to install WinPCAP first.
