ARP Poisoning and Cain

Right then, it's time to get down to work! Today's post will focus on a useful little attack vector called ARP
Poisoning
(Or ARP Cache Poisoning for the sticklers).

What is ARP?

The Address Resolution Protocol (ARP for short) is how network devices associate MAC addresses with I.P addresses so
that devices on the local network can find each other. ARP is basically a form of networking roll call.

ARP, a very simple protocol, consists of merely four basic message types:

1. An ARP Request. Computer A asks the network, "Who has this IP address?"
2. An ARP Reply. Computer B tells Computer A, "I have that IP. My MAC address is [whatever it is]."
3. A Reverse ARP Request (RARP). Same concept as ARP Request, but Computer A asks, "Who has this MAC
address?"
4. A RARP Reply. Computer B tells Computer A,"I have that MAC. My IP address is [whatever it is]"

All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has
already matched together. The ARP table ensures that the device doesn't have to repeat ARP Requests for devices it
has already communicated with.

Here's a basic example of a typical ARP process:


I want to print this article for a friend who's downstairs in the kitchen. In the kitchen there is a networked
printer with the i.p of 192.168.0.6. My computer has the i.p of 192.168.0.3.

So my computer broadcasts an ARP request to the entire network asking who has the i.p 192.168.0.6? All the computers
that don't have this i.p simply ignore this request but the printer who has the correct i.p wakes up and sends an
ARP reply saying "Hey! I'm 192.168.0.6 and my MAC address is FF:FF:FF:FF:FF:FF!".

Now my computer knows the printer's MAC address, it sends the file to be printed to the correct printer and
associates the printer's MAC address with the printer's i.p address in it's ARP table.

The one problem with ARP is that it's very trusting so it assumes that the computer who gives the i.p address and
the MAC address is the real computer. There's no verification. This was probably done to simplify networking at the
start but as you're about to see, it leave some very big security holes...


The Attack:

Since I'm using windows xp (windows haters don't kill me, I use linux on a regular basis), I'm going to
use a very clever program called Cain. You can download this program from www.oxid.it free of charge!

Some people use this tool and have no idea how it actually works and that's why I wrote this article, so you at
least know what it's doing!

So I'll fire up Cain:

(IMG:http://img155.imageshack.us/img155/3742/cainsd8.jpg)


(If this is too small then I've hosted it on imageshack at http://img155.imageshack.us/my.php?image=cainsd8.jpg)

Right so as you can (hopefully) see, I've fired up Cain, I've started up the sniffer (the little network card
icon at the top left) and I've started ARP (little radioactive symbol next to the sniffer).

Of course before you can do that, you need to scan your hosts, so click on the little hosts tab and you'll see
something like this:

(IMG:http://img138.imageshack.us/img138/8838/hostsfs1.jpg)


(If it's too small then go to imageshack at http://img138.imageshack.us/my.php?image=hostsfs1.jpg)

So, as you can see, the hosts list is empty! How to solve this? Right click and you'll see an option "Scan Mac
Addresses" . Select that and you'll see a form


(like http://img147.imageshack.us/my.php?image=scangn7.jpg).

Use the default of "Scan all hosts in my subnet" and you'll see a list of computer names, i.p addresses
and MAC addresses come up.

From there, go back into the ARP tab and at the top you should see a little plus sign click on it to get something like


(IMG:http://img218.imageshack.us/img218/9823/arpgt2.jpg)




I've taken my hack lab's router i.p and then on the right, all the i.p's that it associates!

Be careful with this as if you take the router, you must be able to forward ports otherwise the computers can't
communicated and then in a couple of clicks you've taken down their internet access and their network access.
It's pretty overt.

Anyway, back on topic.

Cain starts poisoning and you get something like: (http://img144.imageshack.us/my.php?image=poisonsm5.jpg) and yeah for
some reason it's overlapping. No big deal.


(IMG:http://img144.imageshack.us/img144/403/poisonsm5.jpg)


As you see it says that it's full routing. If you get half routing at first, that's normal.

Now, this is where it gets exciting!

Cain has yet another lovely feature, in which it picks up passwords from the traffic going through. So I'm going to
go to a email site and type in some made up credentials and we'll see what Cain picks up on.

So basically I created an account for this article and am going to log into that account on another computer.

(IMG:http://img72.imageshack.us/img72/2695/successpg8.jpg)



As you can see, there are two passwords that have come up! Of course the accounts aren't real but if they were I
would have full access.

This also works with FTP accounts, pop3 accounts, well just take a look in the options!

It shows how dangerous a simple attack can be. As it doesn't affect just the network, it can affect all of your
internet details too.


The Defense:
Scared? Good, Now Calm Down!

This is scary stuff. ARP Cache Poisoning is trivial to exploit yet it can result in very significant network compromise.
However, before you jump to Defcon-7, notice the major mitigating factor: only local attackers can exploit ARP's
insecurities. A hacker would need either physical access to your network, or control of a machine on your local network,
in order to deliver an ARP Cache Poisoning attack. ARP's insecurities can't be exploited remotely.

That said, hackers have been known to gain local access to networks. Good network administrators should be aware of ARP
Cache Poisoning techniques.

Since ARP Cache Poisoning results from a lack of security in a protocol that is required for TCP/IP networking to
function, you can't fix it. But you can help prevent ARP attacks using the following techniques.

For Small Networks

If you manage a small network, you might try using static IP addresses and static ARP tables. Using CLI commands, such
as "ipconfig /all" in Windows or "ifconfig" in 'NIX, you can learn the IP address and MAC
address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for
all your known devices. "Static" means unchanging; this prevents hackers from adding spoofed ARP entries for
devices in your network. You can even create a login script that would add these static entries to your PCs as they
boot.

However, static ARP entries are hard to maintain; impossible in large networks. That's because every device you add
to your network has to be manually added to your ARP script or entered into each machine's ARP table. But if you
manage fewer than two dozen devices, this technique might work for you.

For Large Networks

If you manage a large network, research your network switch's "Port Security" features. One "Port
Security" feature lets you force your switch to allow only one MAC address for each physical port on the switch.
This feature prevents hackers from changing the MAC address of their machine or from trying to map more than one MAC
address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks.

For All Networks

Your best defense is understanding ARP Poisoning and monitoring for it. I'd highly recommend deploying an ARP
monitoring tool, such as ARPwatch, to alert you when unusual ARP communication occurs. This kind of vigilance is still
the greatest weapon against all kinds of attack -- for, as Robert Louis Stevenson wrote, "The cruelest lies are
often told in silence."

I'd like to thank http://www.watchguard.com/ for their defense section as I felt this was well written and it would
be redundant for me to write another section.

The introduction and the attack section was written by me.

- sas01

by r3dr0ot | 2008/02/20 18:00 | 트랙백

트랙백 주소 : http://r3dr0ot.egloos.com/tb/84611
☞ 내 이글루에 이 글과 관련된 글 쓰기 (트랙백 보내기) [도움말]
※ 로그인 사용자만 덧글을 남길 수 있습니다.

◀ 이전 페이지          다음 페이지 ▶