Release Date: 2000-05-10
Article content:
Design: Technical documentation about ARP deception
Author: scz
------------------------------------------------- - - - Exchange HUB
| | | | | |
| | | | | |
D A ' A B C <- - - A, B, and C is in the same logistic subnet
| | |
| | |
A is a gateway <------ ------> We have a SNIFFER here, from here to A, C for ARP
deceive. Need to reach this effect:
A: IPC <----> Macb, then a attempts and C communications, the package will
Several B, this is easy to verify.
B: Responsible for link layer packs to forward the operation of the MAC forwarding.
This requires our SNIFFER to intervene to the IP layer. Obviously we only
The unicast address without processing broadcast addresses.
C: IPA <----> Macb, when C attempts and A communication, the package will
Several B, this is easy to verify.
1. Allow a thread to refresh, you can customize the refresh interval in the configuration file. Should be the package analysis thread
DoanalySethRead, when the captain thread DocaptuRethread is suspended by external signal SiGend
When deceiving refreshing threads, DOSPOOFTHREAD is blocked, not unsearated deception.
IPA Maca
------> This is the real MACA address of IPA
|
|
| --------------- |
AA-AA-AA-AA-AA-AA 00 00 00 00 00 00 00 08 06 00 01
08 00 06 04 00 02 BB-BB-BB-BB-BB-BB CC-CC-CC-CC
| --------------- | | --------- |
| | |
| | |
| ------> This is IPC
|
------> This is about the ARP Cache that is about to appear in IPA
IPC corresponding to the MACB address
00 00 00 00 00 AA-AA-AA-AA
| --------- |
|
|
------> This is IPA
This packet leads to the IPC in the IPA's ARP Cache, MacB
2. Need to get the target MAC address and the target IP address, and each time it is determined according to these two data.
The packet of the link layer is forwarded. If you need to make a link layout forward, you must modify the source MAC address and the target at the same time.
MAC address.
When Destmacb Destipa SrcMacc SRCIPC appears,
Modified into DESTMACA DESTIPA SRCMACB SRCIPC.
When Destmacb Destipc Srcmaca Srcipa appears,
Modified into DESTMACC DESTIPC SRCMACB SRCIPA.
The above discussion is limited to the ARP spoofing process when the local area network does not involve cross the gateway, let's take a look at
What is involved in the gateway? Suppose host A is a gateway, the host D is located in the gateway, and the host C is located in the gateway, and there is an IPA in the ARP Cache in the host C ---- Macb pair, host A ARP Cache has IPC ---- Macb
Correct.
When DestMACB Destipd SrcMacc SRCIPC appears,
Modified into DESTMACA DESTIPD SRCMACB SRCIPC.
When DestMACB Destip C Srcmaca Srcipd appears,
Modified into DESTMACC DESTIPC SRCMACB SRCIPD.
Comprehensively compare four situations, extract common points, Destip, and srcip always maintain the original value.
When DestMACB Destipx appears (x is equal to A or X outside gateway) srcmacy,
Modified into Destmaca Destipx Srcmacb.
When DestMACB Destipx appears (X is not equal to B) srcmaca in the gateway,
Modify to Destmacx Destipx Srcmacb.
The above is a packet that may appear in the case of "normal", if someone is going to disturb other ARP disturbances
Cheng, the situation will be complicated, not discussed here. Be sure to understand the final conclusion of simplified here, otherwise
The process is not good.
3. The monitoring of the exchange HUB should be set in the configuration file. If you don't do this, you will not
The deception refresh thread will be started when initialization. At the same time, you don't have to do link layers in the function doip ().
Package forward.
4. Add the code in the function doip () to make a link layer packet forwarding process. Because of a complete ARP spoof
This is understood from the IP layer to understand this from the discussion of the entry 2.
5. A Mac corresponding to multiple IPs in ARP Cache, although it is unreasonable, but after practice, no
What side effects have been found.
6. Temporarily do not consider the case of ARP spoofing for host C, C ', C ", will then increase processing
Process.
