ARP Cache Poisoning !

Protecting your Linux box
abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

ARP Cache Poisoning !

Postby abakali » Mon Jul 02, 2007 12:33 pm

How one bad machine on your Ethernet Local Area Network (LAN) can ruin your whole day.


Image


Notice that in this example, our gateway computer added this new entry into its ARP cache upon the receipt of an ARP Reply packet. The ARP protocol is so simple — just asking who has the IP and replying "I have the IP" — that there is no provision for any sort of security or authentication of the replying computer. In other words, any computer on the LAN could claim to have the IP in question.

The implementation of the ARP protocol is so simple and straightforward that the receipt of an ARP reply at any time, even when there are no ARP requests outstanding, causes the receiving computer to add the newly received information to its ARP cache.

Image

Consequently, if the gateway computer were to receive a SPOOFED ARP REPLY from an attacking computer claiming that it was assigned an IP that belonged to some other computer, the gateway would trustingly and blindly REPLACE its current correct entry with the maliciously misleading replacement!

If at the same time the malicious attacking computer were to send a similar ARP reply to the computer being hijacked, maliciously replacing the ARP cache entry for the gateway computer, then any subsequent traffic bound for the gateway would instead be sent to the attacking computer. If the attacker forwards any of the redirected traffic it receives onto the proper original computer — after inspecting and perhaps even modifying the data — neither of the intercepted computers will detect that all of their communications is now being relayed through an unknown and probably malicious intermediary computer.

Image

By merely injecting two ARP reply packets into a totally trusting LAN, any malicious computer is able to receive all traffic going back and forth between any two computers on the LAN such as any target machine and the LAN's gateway.

What does this mean?
ARP Reply spoofing for the purpose of ARP Cache Poisoning allows any computer on the local area network to obtain one of the most dangerous and powerful attack postures in network security: the so-called "Man In The Middle" (MITM). The man in the middle is able to monitor, filter, modify and edit any and all traffic moving between the LAN's unsuspecting and inherently trusting computers. In fact, there is nothing to prevent it from filling every computer's ARP cache with entries pointing to it, thus allowing it to effectively become a master hub for all information moving throughout the network.

Internet "switches" offer no help
As you can see from the diagram above, the use of a standard Internet switch (as compared with a hub), which prevents passive monitoring and sniffing of the LAN's traffic by isolating the traffic of each computer from all others, is of no help in the face of active ARP cache poisoning since the LAN's traffic is being actively sent to the attacking computer.


Is the threat from ARP poisoning just theoretical, or can it be easily accomplished?
The intrinsic weakness of Ethernet LAN security is well known within the hacker community and many easy-to-use "point and click" tools have been developed and are in constant use by malicious hackers. Since many of these tools have recently migrated from the less common Linux and Unix platform to the ubiquitous Windows environment, their use is rapidly becoming more widespread.

Here's text from the introductory description of a well known Windows tool set known as Cain & Abel http://www.oxid.it/index.html


Ethernet Insecurity by
Description: Leo and Steve discuss the design, operation

http://aolradio.podcast.aol.com/sn/SN-029.mp3

ARP - Q&A
http://www.geocities.com/SiliconValley/ ... k/arp.html
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).

Zaheer
Battalion Havaldaar Major
Posts: 284
Joined: Fri Oct 17, 2003 12:15 am
Location: Karachi
Contact:

Postby Zaheer » Mon Jul 02, 2007 2:20 pm

AA,

Yes i know of a network affected by this :oops: and peoples placed some patch and setup files on their ftp so that net can run fine.
Good Judgement comes from Experience and Experience comes from bad Judgement!!
The more I know, the more I realize I don't know!?
The easiest way to find out is to try Out!!!

Registered Linux user #333501

abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby abakali » Mon Jul 02, 2007 3:10 pm

Asif Bakali !

Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).

Zaheer
Battalion Havaldaar Major
Posts: 284
Joined: Fri Oct 17, 2003 12:15 am
Location: Karachi
Contact:

Postby Zaheer » Mon Jul 02, 2007 3:50 pm

Good Judgement comes from Experience and Experience comes from bad Judgement!!

The more I know, the more I realize I don't know!?

The easiest way to find out is to try Out!!!



Registered Linux user #333501

abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby abakali » Mon Jul 02, 2007 3:55 pm

Asif Bakali !

Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).

Zaheer
Battalion Havaldaar Major
Posts: 284
Joined: Fri Oct 17, 2003 12:15 am
Location: Karachi
Contact:

Postby Zaheer » Mon Jul 02, 2007 3:57 pm

Good Judgement comes from Experience and Experience comes from bad Judgement!!

The more I know, the more I realize I don't know!?

The easiest way to find out is to try Out!!!



Registered Linux user #333501

abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby abakali » Mon Jul 02, 2007 4:26 pm

Asif Bakali !

Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).

guddibaaz
Cadet
Posts: 8
Joined: Mon Jul 09, 2007 2:44 pm
Location: Rawalpindi
Contact:

Manually Assigning arp entries

Postby guddibaaz » Wed Jul 11, 2007 2:35 pm

Guddibaaz


Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest