ARP protocol revealed Zhang Xinrui (zhangxinrui2@163.com) May 2003 1 ARP protocol Overview IP data package is sent by Ethernet. Ethernet equipment does not recognize 32-bit IP addresses: they are transmitted to the Ethernet data packet with 48 Ethernet addresses. Therefore, the IP driver must convert the IP destination address to an Ethernet network destination address. There is a static or algorithm mapping between these two addresses, often requiring a table. Address Resolution Protocol, ARP is used to determine protocols for these images. When ARP is working, a Ethernet broadcast packet containing the desired IP address is sent. Destination owners, or another system representing the host, with a packet containing IP and Ethernet address as a response. The sender caches this address to the cache to save unnecessary ARP communications. If there is a node that is not trusted to have a write access permission for the local network, there will be some risk. Such a machine can release false ARP packets and turn all communications to it yourself, then it can play some machines, or by simple changes to the data stream. The ARP mechanism is often automatic. On a particularly secure network, the ARP mapping can use firmware and have the purpose of preventing interference with automatic suppression protocols.
Figure 1 Ethernet ARP packet format
Figure 1 is an example of an ARP packet used as an IP to Ethernet address translation. Each line in the figure is 32 bits, that is, four eight groups, in the later chart, we will follow this way. The hardware type field indicates the type of hardware interface that the sender wants to know, the value of the Ethernet is 1. The protocol type field indicates the type of high-level protocol provided by the sender, and IP is 0806 (16). The hardware address length and protocol length indicate the length of the hardware address and the high-level protocol address, so that ARP packets can be used in the network of any hardware and any protocol. The operation field is used to represent the purpose of this message, the ARP request is 1, the ARP response is 2, the RARP request is 3, the RARP response is 4. When an ARP request is issued, the sender fills the first and sending party IP addresses, but also fills in the target IP address. When the target machine receives this ARP broadcast package, you will fill in your 48-bit host address in the response message. 2 ARP Using For use, let's take a look at the ARP command under Linux (if the content in the ARP table is empty, you need to connect a host to a host, such as ping the target host to generate an ARP item): D2Server: / Home / Kerberos # ARP
Address Hwtype Hwaddress Flags Mask IFAce
211.161.17.254 Ether 00: 04: 9A: AD: 1C: 0A C ETH0
Address: Host IP Address
HWTYPE: Hardware Type
Hwaddress: Host's hardware address
Flags Mask: Record Sign, "C" indicates an entry in the ARP cache, "M" represents a static ARP entry.
Use the "arp --a" command to display the host address and the IP address of the IP address, which is the ARP cache information saved in the machine. This cache stores the most recent Internet address to the mapping record between the hardware address. The survival time of each of the cache is generally 20 minutes, and the start time begins to count from being created. D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00: 04: 9A: AD: 1C: 0A [Ether] on et0
It can be seen that there is a ARP cache entry corresponding to a 211.161.17.254 in the cache.
D2SERVER: / home / kerberos # telnet 211.161.17.21trying 211.161.17.21 ...
CONNECTED to 211.161.17.21.
Escape Character is '^]'.
^].
Telnet> quit
Connetion closed.
While performing the top telnet command, use TCPDUMP: D2Server: / Home / Kerberos # tcpdump -e dst Host 211.161.17.21
TCPDUMP: LISTENING ON ETH0
We will hear a lot of packages, we take 2 packages related to our ARP protocol: 1 0.0 00: D0: F8: 0A: FB: 83 ff: ff: ff: ff: ff: FF ARP 60
WHO HAS 211.161.17.21 Tell D2Server
2 0.002344 (0.0021) 00: E0: 3C: 43: 0D: 24 00: D0: F8: 0A: FB: 83 ARP 60
ARP Reply 211.161.17.21 is at 00: E0: 3C: 43: 0D: 24
In line 1, the hardware address of the source host (D2Server) is 00: D0: F8: 0A: FB: 83. The hardware address of the destination host is ff: ff: ff: ff: ff: ff, this is an Ethernet broadcast address. Each Ethernet interface on the cable should receive this data frame and process it. One output field in line 1 is ARP, indicating that the value of the frame type field is 0x0806, indicating that this data frame is an ARP request or answered. In each line, the value 60 behind the word refers to the length of the Ethernet data frame. Since the data frame length of the ARP request or answered is 42 bytes (28-byte ARP data, 14-byte Ethernet frame header), each frame must be added to the minimum length requirements of the Ethernet : 60 bytes. The next output field ARP WHO-HAS in line 1 represents this data frame as an ARP request, the destination I P address is the address of 211.161.17.21, and the I P address of the sender is the address of the D2Server. TCPDUMP prints the default I P address corresponding to the host name. As can be seen from line 2, although the ARP request is broadcast, the destination address of the ARP response is 211.161.17.21 (00: E0: 3C: 43: 0D: 24). The ARP response is delivered directly to the requesting terminal, but broadcast. TCPDUMP prints the words of ARP Reply while printing the host IP and hardware addresses of the responder. In each row, the numbers behind the line number indicate that TCPDUMP receives the time (in seconds) of the packet. In addition to the first line, each line also contains the time difference (in seconds) of the previous line in parentheses. At this time we look at the ARP cache in the machine: D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00: 04: 9A: AD: 1C: 0A [Ether] on et0
(211.161.17.21) AT 00: E0: 3C: 43: 0D: 24 [Ether] on et0
A mapping of 211.161.17.21 has been added in the ARP cache. Look at other ARP-related commands: D2Server: / home / kerberos # arp -s 211.161.17.21 00: 00: 00: 00: 00: 00:
D2Server: / home / kerberos # arp
Address Hwtype Hwaddress Flags Mask IFAce
211.161.17.254 ether 00: 04: 9A: AD: 1C: 0A c eth0211.161.17.21 ethers 00: 00: 00: 00: 00: 00: Ether 00: 00: 00: 00: 00: 00:
D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00: 04: 9A: AD: 1C: 0A [Ether] on et0
(211.161.17.21) AT 00: 00: 00: 00: 00: 00 [Ether] Perm on eth0
It can be seen that we have set up 211.161.17.21 with the ARP -S option to 00: 00: 00: 00: 00: 00: And the flag field of this mapping is cm, which means that the ARP option for us. For static ARP options, it remains unchanged without timeout, unlike entries in the cache to update after a certain time interval. If you want to make a manual ARP option timeout, you can add TEMP options D2Server: / home / kerberos # arp -s 211.161.17.21 00: 00: 00: 00: Temp
D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00: 04: 9A: AD: 1C: 0A [Ether] on et0
(211.161.17.21) AT 00: 00: 00: 00: 00: 00 [Ether] on eth0
D2Server: / home / kerberos # arp
Address Hwtype Hwaddress Flags Mask IFAce
211.161.17.254 Ether 00: 04: 9A: AD: 1C: 0A C ETH0
211.161.17.21 ethers 00: 00: 00: 00: 00: 00: Eth0
You can see the static ARP flag "M" of the flag field has been removed, and we are hand-made is a dynamic entry. Please pay attention to the difference between the ARP static entry and the dynamic entry. In different systems, manually set ARP static entries are different. In Linux and Win2000, static entries do not change because of forged ARP response packages, while dynamic entry changes. In WIN98, manually set static entries will change because of the preceding ARP response package. If you want to delete an ARP entry (including static entry), you can use the following command: d2server: / home / kerberos # arp -d 211.161.17.21
D2Server: / home / kerberos # arp -a
(211.161.17.254) AT 00: 04: 9A: AD: 1C: 0A [Ether] on et0
(211.161.17.21) AT
ON et0
It can be seen that the ARP entry of 211.161.17.21 is incomplete. There are some other commands, you can refer to the Man Document under Linux: D2Server: / Home / Kerberos # man ARP
3 ARP deceives let us first review the principles of the ARP protocol mentioned above. Under the network environment of the TCP / IP protocol, a IP package is going to, how to get on the routing table definition, however, when the IP package reaches the network, which machine responds to this IP package is relying on the IP package The hardware MAC address included in the middle is identified. That is, only the machine's hardware MAC address and the same machine of the hardware MAC address in the IP package will answer this IP package, because in the network, every host will have an IP package, so every There is an ARP -> hardware Mac conversion table in the memory of the station host. Usually a dynamic conversion table (the ARP table can be manually adding static entry). That is, the corresponding table will be refreshed after a certain time interval. This time interval is the timeout time of the ARP cache. Usually, the host is before sending an IP package, it is looking for a hardware MAC address corresponding to the IP package in the conversion table. If not found, the host sends an ARP broadcast package, so the host refreshes its own ARP cache. The IP package is then issued. After understanding these common sense, you can talk about how ARP deceived in the Ethernet network can now look at an example. 3.1 ARP fraud in the same network segment Figure 2 ARP spoofing in the same network segment
As shown in Figure 2, three host A: IP address 192.168.0.1 Hardware address AA: AA: AA: AA: AA: AAB: IP address 192.168.0.2 Hardware Address BB: BB: BB: BB: BB: BBC: IP Address 192.168.0.3 Hardware Address CC: CC: CC: CC: CC: CC: A intruder located at host B wants to illegally enter the host A, but the firewall is installed on this host. By collecting information, he knows that the firewall of this host A is only trustworthy to host C (open 23 ports (Telnet)). And he must use Telnet to enter the host a. How should he deal with this time? We consider this, intruders must let the host A believe that the host B is host C, and the trust relationship between host a and host C is built on the IP address. If the host B's IP address is changed, it is not possible to work, at least. If you tell the Ethernet card device driver, yourself IP is 192.168.0.3, then this is just a pure competitive relationship and cannot achieve the goal. We can study c this machine if we can make this machine to be temporary, the competition relationship can be released, which is still possible. While the machine C is dropped, the IP address of the machine B is changed to 192.168.0.3 so that the 23-port Telnet to the machine A, while the successful bypass the firewall. The above idea is no effect in the case, if the trust relationship between host A and host C is based on the hardware address. This time you need to use ARP spoofing to let the host A refer to the hardware address of 192.168.0.0.3 mapped in its own ARP cache to host B. We can create an ARP_REPLY response package, send it to the host you want to deceive, which is achievable, because the protocol does not specify that you must send a response package after receiving ARP_ECHO. Such a lot of tools, we can also Use SnifferPro to catch an ARP response package and modify it. You can make this package for people. You can specify the source IP, target IP, source MAC address, target MAC address in the ARP package. This way you can modify the dynamic ARP cache on the host A to achieve deception by false ARP response packages. The following is the specific steps:
He first studied 192.0.0.3 this host and found the vulnerability of this host. According to the discovered vulnerability, the host C is turned, temporarily stops. During this time, invaders change their IP to 192.0.0.3 His tools send a source IP address of 192.168.0.3 The source MAC address is BB: BB: BB: BB: BB: BB package to host a, require Host A updates its own ARP conversion table. The host updated the IP -> Mac correspondence between host C in the ARP table. The firewall has failed, and the invasive IP turns into a legitimate MAC address, which can Telnet. The above is an ARP spoofing process, which is in the same network segment, but it is noted that the above method does not work when B and C are in different network segments. 3.2 ARP fraud in different network segments Figure 3 ARP spoof between different network segments
As shown in FIG. 3, a, C is located in the same network segment and the host B is located in another network segment. The IP address and hardware addresses of the three machines are as follows: A: IP address 192.168.0.1 Hardware address AA: AA: AA: AA: AA : AAB: IP address 192.168.1.2 Hardware address BB: BB: BB: BB: BB: BB: IP address 192.168.0.3 Hardware address CC: CC: CC: CC: CC: CC In now, located in 192.168.1 How does the host B of the network segment pretend to be host C to deceive the host A? Obviously, the Telnet session cannot be established between the host B and host A, because the router does not send the host A to the host B to forward the host B, and the router will find the address in 192.168. 0. This section is within this network segment. Nowadays, another deception -ICP redirection is now involved. The combination of ARP spoof and ICMP can be basically achieved by spanning spoofing. What is ICMP redirection? ICMP redirection packets are one of ICMP control packets. In a particular case, when the router detects a machine to use a non-optimization route, it sends an ICMP redirect message to the host, requesting the host to change the route. The router will also report the initial data to its destination forwarding. We can use ICMP to redirect packets to deceive the purpose. Here is the steps combined with ARP spoofing and ICMP redirection:
In order to enable illegal IP packages you can survive on the network, start modifying the IP package to prepare the problem of the IP package to be prepared in the following procedure. Change TTL to 255. (TTL definitions a IP package If you can't get the host on the network, you can survive on the network, and change the way in this case, which is conducive to your adequate broadcast) to download one freely The tool (such as hping2) is then looking for the vulnerability of the host C, in accordance with this vulnerability C. After the host of the network can't find the original 192.0.0.0.3, you will update your own ARP correspondence table. So he sends an original IP address of 192.168.0.3 Hardware address to BB: BB: BB: BB: BB: BB ARP response package. Ok, now every host knows, a new MAC address corresponds to 192.0.0.3, an ARP spoof is done, however, each host will only find this address in the local area network, will not send it to 192.0 .0.3 IP packet is lost. So he has to construct an ICMP redirect broadcast. Customize an ICMP redirect package telling the host: "To 192.0.0.3 The shortest path is not a local area network, but the routing, please redirect your routing path, put all the 192.0.0.3 IP packets to the route "Host A accepts this reasonable ICMP redirection, which modifies its own routing path to throw communication with 192.0.0.3 to the router. The invader can finally receive an IP package from the host in the route outside the route, he can start Telnet to the host's 23 port. In fact, the above ideas is just an ideal case, and the ICMP redirect package that hosts permitted by the host has a lot of restrictions, which makes ICMP redirectivity. TCP / IP protocol implementation About host reception ICMP redirection packets mainly include the following limitations: new routing must be a redirect package that must come from the current routing package to go to the target cannot notify the host with its own route change The route must be an indirect routing because there are these restrictions, so ICMP deception is actually difficult. But we can also take the initiative to find some other methods based on our thinking. More importantly, we know the harm of these deception methods, we can take corresponding defense methods. 3.3 ARP fraud defense knows the method and hazard of ARP fraud, we give some preliminary defense methods:
Don't build your network security relationship on the basis of the IP address or on the hardware MAC address, (Rarp also exists in deceived issues), the ideal relationship should be based on IP MAC. Set static Mac -> IP corresponding table, do not let the host refreshed the conversion table you set. Unless it is necessary, stop using the ARP, and save the ARP as a permanent entry in the corresponding table. Under Linux, you can use IFConfig -arp to stop using ARP. Use the proxy gateway to send outgoing communication. Modifying the system Refused ICMP Redate Packets Under Linux, you can re-compile the kernel by re-compiling the kernel on the firewall or modify the kernel option to re-accept the ICMP redirect message. Under Win2000, you can refuse to receive ICMP packets through firewalls and IP policies. 4 Agent ARP Application Agent ARP has two major applications, one is that our implementation of the transparent mode in the firewall implementation, the other is harmful to achieve the purpose of sniffing in the exchange environment. By This can be seen that the same technique is applied to different purposes. The effect is different. Let's first see the sniffing of the local area network in the exchange environment. Usually in the local area network environment, we all have access to the gateway of the environment. In addition to the network communication of other hosts, using NetXray or Nai Sniffer, in exchange environments, in addition to catching their own packages, in addition to catching their own packages. But we can achieve the purpose of Snifer by using ARP spoof. The ARP protocol is a protocol parsing the IP address as a MAC address, and communication in the LAN is based on the MAC address.
Figure 4 Exchange of ARP spoof in the network
As shown in Figure 4, the three hosts are located in an inter-switched network, where A is a gateway: A: IP address 192.168.0.1 Hardware address AA: AA: AA: AA: AAB: IP address 192.168.0.2 Hardware address BB: BB: BB: BB: BB
C: IP address 192.168.0.3 Hardware address CC: CC: CC: CC: CC
In the local area network, 192.168.0.2 and 192.168.0.3 are all Internet access, assuming the attacker's system is 192.168.0.2, he hopes to hear 192.168.0.3 communication, then we can use the ARP spoofing implementation. The central principle of this deception is the application of the ARP agent. Host A is a proxy server in the LAN. The outward communication of each node in the local area network passes it. Host B wants to listen to the host C, it needs to be used first ARP spoof, let the host C think it is host A, this time it sends an IP address as 192.168.0.1, the physical address is BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: BB: Send the package to the host A to the host B. Simultaneous, let the gateway A believe that it is host C, send an IP address to gateway A to 192.168.0.3, physical address is BB: BB: BB: BB : BB package. The operation above this step is the same, but there is still a problem, but there is a problem, and the host B will find itself unable to go online. So there is still a step in the host B to forward From the host A to the host C package, and forward the package from the host C to the host A. Now we can see that the host B has played a proxy in the communication of host A and host C, why is this called ARP agent? Cause. Specific implementation To use two tools DSNIFF and FRAGROUTER, DSNIFF is used to implement ARP spoof, Fragroute is used to forward the package. First use the arpspoof in DSNIFF to implement ARP spoof, DSNIFF software can download: Http://naughty.monkey.org/~ DUGSONG / DSNIFF to install this package before downloading the installation libnet. Deceive 192.168.0.3, telling the machine gateway 192.168.0.1 MAC address of 192.168.0.2. [ Root @ Sound Dsniff-2.3] # ./ARPSPOOF -I Eth0 -t 192.168.0.3 192.168.0.1 Deception 192.168.0.1, tell 192.168.0.1 Host MAC address of 192.168.0.3 is a MAC address of 192.168.0.2. [root @ Sound DSNIFF-2.3] # ./ARPSPOOF -I Eth0 -t 192.168.0.1 192.168.0.3 Now we have completed the first step, this spoof is done by arpspoof, of course you can also use other The tools have even happly. Now we can see that we need the work we need in the ARP list of host A and host C. In the back transparent agent, we will use another different concept. Let's open first. For the transfer package in the Linux system: [Root @ Sound / root] # echo "1"> / proc / sys / net / ipv4 / ip_forward Next We can download another tool Fragroute, a famous Dugsong, this tool is called Fragrouter (Only 1 word difference) is primarily used to implement the detection of the IP and TCP package function of the intrusion detection system. It is a function of self-generation for self-generation. You can download: http://monkey.org/ ~ Dugsong / Fragroute / Install this package to download and install libpcap and libevent. Of course, we can also use Fragrouter: http://www.packetStormsecurity.org/groups/W00W00 / SECTOOLS / FRAGROUTER / [ROOT @ Sound Fragrouter -1.6] # ./fragrouter -b1
Fragrouter: base-1: Normal IP Forwarding Now you can implement the goal of sniffing in the swap LAN. Of course, these are just some principles, which will encounter a lot of problems in real use, such as how to implement gateway A. And the spoofing of host C, and how to deal with the possible broadcast storm problem, these can learn in practice. There is also a tool called Arpsniff to complete this feature, many websites offer download, the interface is relatively friendly, due to As with the principles above, it is only the use of the tools and adds some additional features, so this is not introduced. Another application of the agent ARP is the implementation of the transparent agent of the firewall. We all know that the early firewall is mostly based on routing Mode, that is, the firewall to complete a route role. This access method requires setting the firewall's IP on the host in the local area, and you need to add a route to the firewall in the routing table of the external router. This way The disadvantage is that it is opaque and needs too much setting, and destroys the original network topology. So now almost all firewalls have realized a transparent access, and the user's router and client do not have to make any modifications, users There is even aware of the existence of a transparent access method. The principle of this transparent access is the ARP agent. We now look at how to configure a host as a firewall that transparent access mode (transparent access firewall does not need IP),
Figure 5
As shown in Figure 5, a firewall is connected to the internal network segment and the DMZ network segment to the external route. We use the Linux operating system on this host used as a firewall, so we can easily use the iptables firewall. Suppose the three network cards are Eth0, Eth1 and Eth2, Eth0 and routers are connected, Eth1 and intranets are connected. Eth2 and external networks are connected. Suppose there is 2 servers in the DMZ district. Introduction to the Internet Address: 192.168.1.0/24
DMZ Address: 192.168.1.2 --- 192.168.1.3
Router's IP address: 192.168.1.1
Eth0: aa: aa: aa: aa: aa: aa
Eth1: BB: BB: BB: BB: BB: BB
Eth2: CC: CC: CC: CC: CC: CC
And the front is similar, the first step needs to implement ARP spoof, this time we have a simple implementation. We use the router's IP address and the firewall's Eth1 and Eth2 network card physical address, and the IP address of the intranet and DMZ network segment And ETH0 network card binding, we use the ARP command on Linux system: ARP -S 192.168.1.1 BB: BB: BB: BB: BB: BB
ARP -S 192.168.1.1 CC: CC: CC: CC: CC: CC
Arp -s 192.168.1.0/24 aa: aa: aa: aa: aa: aa
The second part we need to set the route on Linux-based firewall, which transfers the target address to the Eth0, forward the target address to the Eth1, and the target address is the DMZ network segment server. Eth2. Using the route command under Linux to implement Route Add 192.168.1.1 dev eth0
Route Add -Net 192.168.1.0/24 dev eth1
Route Add 192.168.1.2 dev eth2
Route Add 192.168.1.3 dev eth3
(Add a separate route to each server in the DMZ network segment) Now we have implemented a simple ARP agent transparent access, of course, the iptables section of the firewall must be configured separately, iptables are not in this article. Within the category. Summary This article introduces the ARP protocol and related security issues. An important security issue is ARP spoofing, we told the ARP spoofing of the same network segment and a method of combining the ARP fraud and ICMP redirection across the network segment. We give some most basic solutions because there are these security issues. Finally, I talked about the transparent access to the firewall and the firewall in the switched network using the agent ARP. For more deeper knowledge, please refer to RFC826, RFC814, RFC1029, RFC1166, and web pages related to Dugsong: http://freshmeat.net/~dugsong/