Most of the solutions for "IP address stealing" are taking the Mac and IP address binding strategy, which is very dangerous. This article will discuss this issue. It is necessary to declare here that this article is in an ambient worries that bind the MAC and IP address binding strategies without any hacker nature.
1.1 Why bind the Mac and IP address
There are many factors affecting network security. IP address stealing or address spoof is one of the common and extremely harmful factors. In reality, many web applications are an important parameter for IP based on IP, such as traffic statistics, account control, etc., as a flag user. If someone is stolen with the legal address and disguised into legitimate users, the data transmitted on the network may be destroyed, eavesdropped, and even smashed, causing the loss that cannot be compensated.
The IP address of the mitigation external network is more difficult because network interconnects such as routers generally set the IP address range through the respective ports, and messages that do not belong to the IP address will not pass through these interconnect devices. However, if theft is the IP address of the IP address within Ethernet, this network interconnect device is obviously unable to force. "Tao Gao is one foot, the magic is one feet", and the IP address inside the Ethernet is stolen, and of course there is a corresponding solution. Binding MAC addresses and IP addresses are a common, simple, effective measures to prevent internal IP stolen.
1.2 Mac and IP address binding principle
The modification of the IP address is very easy, and the MAC address is stored in the EEPROM of the NIC, and the MAC address of the NIC is unique. Therefore, in order to prevent the internal personnel from performing illegal IP stolen purposes (for example, the IP address of the more people who can obtain the information outside of the permissions), the IP address of the internal network can be binded to the MAC address, and the pirator has modified the IP address. Due to the mismatch of the MAC address, the fails:
At present, many units of internal networks, especially the school campus network has the binding technology of the MAC address and IP address. Many firewalls (hardware firewalls and software firewalls) have built-in binding functions of the MAC address and IP address in order to prevent IP addresses within the network.
From the surface, the binding MAC address and IP address can prevent internal IP addresses from being stolen, but actually due to the implementation technology of the various protocols and NIC drivers, the MAC address and the IP address have a big defect, and Can not truly prevent internal IP addresses from being stolen.
2 Crack the MAC and IP address binding strategy
2.1 Introduction to IP Address and MAC Address
The current TCP / IP network is a four-layer protocol structure that is sequentially connected to the link layer, a network layer, a transport layer, and an application layer.
The Ethernet protocol is a link layer protocol, and the address used is the MAC address. The MAC address is the hardware flag in the Ethernet network, and the NIC is produced in the EEPROM of the NIC. The MAC address of the NIC is different, and the MAC address can be uniquely marked a network card. Each message transmitted on the Ethernet contains the MAC address of the network card that transmits the message.
The Ethernet identifies the sender and receiving end of the packet based on the source MAC address and destination Mac in the Ethernet packet head. The IP protocol is applied to the network layer, and the address used is an IP address. Communication is performed using the IP protocol, and each IP packet must contain source IP and destination IP addresses to mark the sending ends and receiving ends of the IP packet. The IP packet is used as the data of the Ethernet message when using the IP protocol on the Ethernet. The IP address is transparent to the Ethernet switch or processor. The user can configure one or more IP addresses for the NIC according to the needs of the actual network. There is no corresponding relationship between the MAC address and IP address.
The MAC address is stored in the EEPROM of the NIC and uniquely determines, but when the NIC is driven, when the Ethernet message is sent, it does not read the MAC address from the EEPROM, but in memory to create a buffer area, Ethernet packets read the source from the middle MAC address. Moreover, the user can modify the source MAC address in the actually sent Ethernet packets in the operating system. Since the MAC address can be modified, the binding of the MAC address and the IP address will lose its original meaning. 2.2 Cracking Schedule The following figure is a schematic diagram of the crack test. Both of its internal servers and external servers provide a web service, and the firewall implements the MAC address and the IP address binding. The source MAC address in packets and 1P address will not be able to pass the firewall if the MAC address set to the firewall is paired with the 1P address. Host 2 and internal servers are legitimate machines in the internal network; host 1 is for experimentation and newly added machines. The installed operating system is the W2000 Enterprise, the NIC is 3Com.
The test needs to modify the Mac and IP address of the host 1 NIC card into the Mac and IP address of the stolen device. First, select "Network and Dial Connection" in the control panel, select the corresponding NIC and click the right mouse button, select Properties, and click the "Configuration" button in the "General" page of the Properties page. Select "Advanced" in the configuration attribute page, then select "Network Address" in the Properties column, select the input box in the "Value" column, and then loses the MAC address of the stolen device in the input box, Mac The address is successful.
Then configure the IP address to the IP address of the stolen device. Stealing internal client IP addresses: Modify the MAC address of the host 1 and the IP address to the MAC address and IP address of the host 2. The host 1 can access the external server, and it can smoothly pass the firewall, access to the host 2, respectively. Moreover, at the same time, the host 2 can also access the external server normally, which is not affected by the host 1. Whether it is host 2 or firewall, it is not noticed that the existence of the host 1 is not perceived. Host 1 If accessing the internal server, there is no need to pass through the firewall, but also unimpeded.
Stealing internal server IP address: Modify the MAC address of the host 1 to the MAC address and IP address of the internal server. Host 1 also provides web services. In order to make the effect more obvious, the Web service content provided on the host 1 is different from the content provided by the internal server.
Because the host 1 and the host 2 are connected to the same HUB in the actual experiment, the access request of the host 2 is always in response to the host 1, and the host 2 expects to access the internal server, but it is always the content provided by the host 1. . More general, host 2 If attempts to access the internal server, the content provided by the host 1 is also the content provided by the internal server has randomness, and it is necessary to see its access request, who is first responding, in the later analysis, we will further This is elaborated.
The MAC and IP hazards of the robot may be larger. If the web content provided by the host 1 is the same as the content in the internal server, the host 2 will not recognize which machine it is accessible; if the web content is required to lose account, password Waiting for information, then this information is a list for host 1.
3 Reasons for successful cracking
The above experiment verifies that the binding MAC address and IP address do have a large defect, which cannot effectively prevent internal IP addresses from being stolen. Next, this defect is analyzed in theory.
The premise of defects is the mixed reception mode of the NIC, the so-called hybrid reception mode means that the network card can receive all messages transmitted on the network, regardless of whether the MAC address is the MAC address of the NIC. It is because the NIC supports mixed mode, so that the network card driver supports the modification of the MAC address to become possible; otherwise, even if the MAC address is modified, the NIC is not able to receive the corresponding address, the network card will only send, unable It is not normal to receive and communications.
The direct cause of the MAC address can be stolen is the implementation mechanism of the network card driver sends an Ethernet message. The source MAC address in the Ethernet message is the driver being permitted, but the driver does not read the MAC from the EEPROM of the NIC, but establishes a MAC address buffer in memory. When the NIC is initialized, read the contents in the EEPROM into the cache area. If you modify the content in the cache zone to the MAC address set by the user, the source address of the Ethernet message sent out later is the modified MAC address. If only the MAC address is modified, the address is not necessarily capable. Ethernet is based on broadcast, Ethernet network cards can monitor all packets transmitted in the LAN, but the NIC receives only the Ethernet packets that match their own MAC addresses. If there are two hosts that have the same MAC address separately send requests, and the response packets of these two access requests are matched for both hosts, then the two hosts do not only receive the content they need, and The purpose will also be received for another one with the Mac host.
According to reason, two hosts should not work properly after receiving excess packets, and it is not possible to be aware that it will be perceived. However, after the address is stolen in the experiment, each experimental equipment It can not interfere with each other. What is this reason? The answer should be attributed to the protocol used in the upper layer.
Currently, the most common protocol in the network is TCP / IP protocol, and web applications are generally running on TCP or UDP. For example, the HTTP protocol used by the Web server in the experiment is based on TCP. In TCP or UDP, the flag communication is not just an IP address, but also a port number. In a general application, the port number of the client is not preset, but the protocol is generated according to a certain rule, with randomness. This is like this to use IE to access the web server. UDP or TCP port number is 16-bit binary number, two 16-bit random numbers are very small, just right and easy to talk about it? Although the two hosts are the same, the MAC address is the same, but the application port number is different, the received port number is different, received Excess data is simply discarded by the useless data in the TCP / UDP layer, and the processing of the TCP / UDP layer is transparent to the user layer; the user can "correct" Use the corresponding service normally without being interfered with address stealing.
Of course, some application user port numbers may be the user or application itself, rather than being given to the protocol to randomly generate. So, how will the result? For example, on the two MAC addresses and IP addresses, the same application is launched. Is the two applications not working properly? In fact, it is not exhausted.
If the next layer is UDP protocol, two applications will interfere with each other. If you are using a TCP protocol, the result is different. Because the TCP is connected, in order to achieve the retransmission mechanism, the correct transmission of the data is guaranteed, the TCP introduces the concept of the packet serial number and the receiving window. In the packets that match the port numbers described above, only those serial numbers belong to messages within the received window, otherwise, it is considered to be expirated packets. The serial number of the packets in the TCP protocol has 32 bits. The serial number of the first packet sent by each application is produced strictly according to the principle of random, and the serial number of each message will be added in turn 1.
The size of the window has 16 bits, that is, the window can be 216, and the range of the serial number is 232. The sequence number of the TCP data that the host expects the TCP data is also in the range of 1/216, which is 1/216. Small. The serial number of TCP was originally to achieve the correct transmission of packets, but now it has become an address stealing.
4 Solve methods for binding the Mac and IP address
Solving a lot of methods that Mac and IP addresses are cracked, the following are the following. Method for combining the switch port, MAC address, and IP address; a method of combining a firewall; a method of user authentication with a PPPoE protocol; a method based on a directory service policy; unified identity authentication and billing software combined Method, etc. (the principles and processes of these methods can be referred to "Campus IP Address Makeup Solutions"). Here, the author is particularly recommended, this method is to achieve the campus office automation system and network billing software, which has strong practicality today in the information construction of campus network.
Who is using a campus network, try
