ARP Cache Poisoning !

Protecting your Linux box

ARP Cache Poisoning !

Postby abakali » Mon Jul 02, 2007 12:33 pm

How one bad machine on your Ethernet Local Area Network (LAN) can ruin your whole day.


Image


Notice that in this example, our gateway computer added this new entry into its ARP cache upon the receipt of an ARP Reply packet. The ARP protocol is so simple — just asking who has the IP and replying "I have the IP" — that there is no provision for any sort of security or authentication of the replying computer. In other words, any computer on the LAN could claim to have the IP in question.

The implementation of the ARP protocol is so simple and straightforward that the receipt of an ARP reply at any time, even when there are no ARP requests outstanding, causes the receiving computer to add the newly received information to its ARP cache.

Image

Consequently, if the gateway computer were to receive a SPOOFED ARP REPLY from an attacking computer claiming that it was assigned an IP that belonged to some other computer, the gateway would trustingly and blindly REPLACE its current correct entry with the maliciously misleading replacement!

If at the same time the malicious attacking computer were to send a similar ARP reply to the computer being hijacked, maliciously replacing the ARP cache entry for the gateway computer, then any subsequent traffic bound for the gateway would instead be sent to the attacking computer. If the attacker forwards any of the redirected traffic it receives onto the proper original computer — after inspecting and perhaps even modifying the data — neither of the intercepted computers will detect that all of their communications is now being relayed through an unknown and probably malicious intermediary computer.

Image

By merely injecting two ARP reply packets into a totally trusting LAN, any malicious computer is able to receive all traffic going back and forth between any two computers on the LAN such as any target machine and the LAN's gateway.

What does this mean?
ARP Reply spoofing for the purpose of ARP Cache Poisoning allows any computer on the local area network to obtain one of the most dangerous and powerful attack postures in network security: the so-called "Man In The Middle" (MITM). The man in the middle is able to monitor, filter, modify and edit any and all traffic moving between the LAN's unsuspecting and inherently trusting computers. In fact, there is nothing to prevent it from filling every computer's ARP cache with entries pointing to it, thus allowing it to effectively become a master hub for all information moving throughout the network.

Internet "switches" offer no help
As you can see from the diagram above, the use of a standard Internet switch (as compared with a hub), which prevents passive monitoring and sniffing of the LAN's traffic by isolating the traffic of each computer from all others, is of no help in the face of active ARP cache poisoning since the LAN's traffic is being actively sent to the attacking computer.


Is the threat from ARP poisoning just theoretical, or can it be easily accomplished?
The intrinsic weakness of Ethernet LAN security is well known within the hacker community and many easy-to-use "point and click" tools have been developed and are in constant use by malicious hackers. Since many of these tools have recently migrated from the less common Linux and Unix platform to the ubiquitous Windows environment, their use is rapidly becoming more widespread.

Here's text from the introductory description of a well known Windows tool set known as Cain & Abel http://www.oxid.it/index.html


Ethernet Insecurity by
Description: Leo and Steve discuss the design, operation

http://aolradio.podcast.aol.com/sn/SN-029.mp3

ARP - Q&A
http://www.geocities.com/SiliconValley/ ... k/arp.html
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
abakali
Naik
 
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby Zaheer » Mon Jul 02, 2007 2:20 pm

AA,

Yes i know of a network affected by this :oops: and peoples placed some patch and setup files on their ftp so that net can run fine.
Good Judgement comes from Experience and Experience comes from bad Judgement!!
The more I know, the more I realize I don't know!?
The easiest way to find out is to try Out!!!

Registered Linux user #333501
Zaheer
Battalion Havaldaar Major
 
Posts: 284
Joined: Fri Oct 17, 2003 12:15 am
WLM: zaheermb20@hotmail.com
Yahoo Messenger: zaheermb2002@yahoo.com
Location: Karachi

Postby abakali » Mon Jul 02, 2007 3:10 pm

Zaheer wrote:AA,

Yes i know of a network affected by this :oops: and peoples placed some patch and setup files on their ftp so that net can run fine.


AOA

Their is no patch are given any O/S to fix this problem this is a tweak to manage network pcs some experts are made own utility . are your faced this problem ever ?
Asif Bakali !

Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
abakali
Naik
 
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby Zaheer » Mon Jul 02, 2007 3:50 pm

AA,

Tell me one thing what if the client is a linux user and these patches are .exe ?
Good Judgement comes from Experience and Experience comes from bad Judgement!!

The more I know, the more I realize I don't know!?

The easiest way to find out is to try Out!!!



Registered Linux user #333501
Zaheer
Battalion Havaldaar Major
 
Posts: 284
Joined: Fri Oct 17, 2003 12:15 am
WLM: zaheermb20@hotmail.com
Yahoo Messenger: zaheermb2002@yahoo.com
Location: Karachi

Postby abakali » Mon Jul 02, 2007 3:55 pm

Zaheer wrote:AA,

Tell me one thing what if the client is a linux user and these patches are .exe ?



linux users use ifconfig program configures this tweaks !
Asif Bakali !

Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
abakali
Naik
 
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Postby Zaheer » Mon Jul 02, 2007 3:57 pm

AA,

how they can configure by ifconfig ?
Good Judgement comes from Experience and Experience comes from bad Judgement!!

The more I know, the more I realize I don't know!?

The easiest way to find out is to try Out!!!



Registered Linux user #333501
Zaheer
Battalion Havaldaar Major
 
Posts: 284
Joined: Fri Oct 17, 2003 12:15 am
WLM: zaheermb20@hotmail.com
Yahoo Messenger: zaheermb2002@yahoo.com
Location: Karachi

Postby abakali » Mon Jul 02, 2007 4:26 pm

AOA

By disable dynamic listening arp broadcast packets for more information try to read ifconfig man pages
Asif Bakali !

Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
abakali
Naik
 
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Manually Assigning arp entries

Postby guddibaaz » Wed Jul 11, 2007 2:35 pm

If you are using manually assingned ip addresses on your lan you can bind ipaddress to MAC addresses so there is no way of spoofed arp entries. Open /etc/ethers in vim and enter ip and mac adresses in following format

ipaddress1 mac1
ipaddress2 mac2

issue command arp -f and it will bind these mac to ips pemanently i.e until a reboot
Guddibaaz
guddibaaz
Cadet
 
Posts: 8
Joined: Mon Jul 09, 2007 2:44 pm
Website: http://eeducator.net
WLM: beauty_preacher
Yahoo Messenger: guddibaaz
Location: Rawalpindi


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 2 guests