Albert-Ludwigs- University of Freiburg Department of Computer Science Internetworking
Seminar on ARP Spoofing Presented by: Mahesh Visvanathan Ramya Ramakrishnan
1
Contents: 1. Introduction to ARP Spoofing… … … … … … … … … … … … … … … 3 2. ARP Operations… … … … … … … … … … … … … … … … … … … … ..5 3. ARP Network Structure… … … … … … … … … … … … … … … … … ..6 4. Vulnerabilities… … … … … … … … … … … … … … … … … … … … … .7 5. ARP Attacks… … … … … … … … … … … … … … … … … … … … … … 7 5.1 Man in the Middle Attacks… … … … … … … … … … … … … … ..8 5.2 Denial of Service… … … … … … … … … … … … … … … … … … ...9 5.3 Hijacking… … … … … … … … … … … … … … … … … … … … … .. 10 6. Detection… … … … … … … … … … … … … … … … … … … … … … … .11 7. Tools and Utilities… … … … … … … … … … … … … … … … … … … ..12 7.1 Dsniff… … … … … … … … … … … … … … … … … … … … … … … ..12 7.2 Hunt… … … … … … … … … … … … … … … … … … … … … … … … 12 8. Countermeasures… … … … … … … … … … … … … … … … … … … … 13 9. Experiments… … … … … … … … … … … … … … … … … … … … … … 14 10. Reference… … … … … … … … … … … … … … … … … … … … … … … 18
2
Abstract:
The purpose of this paper is to deal with the ARP spoofing and the methods of exploiting the interaction of IP and Ethernet. In this paper we would be also focusing on different aspects related to ARP spoofing which would include its network structure, and discuss about the kind of operating systems that are affected by ARP Spoofing and what kind of attack that would be occurring and how to provide countermeasures to protect from attacks and different aspects related to it by realizing a practical setup.
Introduction: Consider a computer is connected to an IP/Ethernet LAN and it has two addresses. One is the address of the network card called MAC addresses. The MAC is a globally unique and unchangeable address which is stored on the network card itself. We need this address so that the Ethernet protocol can send data back and forth irrespective of what ever application that would run on the top. Ethernet builds “frames” of data, consisiting of 1500 byte blocks. Each frame would have an Ethernet header, containing the MAC address of the source and the destination computer. The second address is the IP address. IP is a protocol used by applications, independent of whatever network technology operates underneath it. Each computer on a network must have a unique IP address to communicate. IP addresses are virtual and are assigned via software. IP and Ethernet must work together. IP communicates by constructing “packets” which are similar to frames, but have a different structure. The packets are delivered by Ethernet which splits the packets into frames, Ethernet header for delivery, and sends them down the cable to the switch. The switch then decides which port to send the frame to, by comparing the destination address of the frame to an internal table which maps the MAC address.
Message Format
3
ARP Data Unit
Hence when an Ethernet frame is constructed, it must be built from an IP packet. How ever at the time of construction, Ethernet has no idea what MAC address of the destination machine is, which it needs to create an Ethernet header. The only information that is available is the destination machine’s IP address from the packet header, with which it needs to create an Ethernet header. There must be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destination IP. This is where ARP protocol gets introduced.
ARP is a helper protocol that assists in making networking a little bit easier, more efficient and more reliable. Both IP addresses and MAC address provide an important part to networking. Not only does the use of IP addresses provide a method for keeping internal networks separate from external networks, but IP addresses can also help to logically segment one network from another.
ARP operations: ARP operates by sending out “ARP request” for packets. The ARP request is broadcasted over the network with a question,” Is your IP address is x.x.x.x.?????”, if so 4
send your MAC address back to me. Then the packets are broadcasted to all computers on the LAN network, (on a switched network). Then each computer examines the ARP request, checks if it is currently assigned the specified IP, and if so, sends an ARP reply containing its MAC address. Too minimize the number of ARP packets being broadcasted, operating systems keep a cache of ARP replies. When a computer receives an ARP reply. It will update its ARP cache with the new IP/MAC association. As ARP is a stateless protocol, most operating systems will update their cache if a reply is received, regardless of whether they have sent out an actual request. ARP Request (broadcast) Source
Destination
S_IP: 132.230.4.47 S_MAC:00:10:DC:6B:D6:AA D_IP:132.230.4.49 D_MAC: ???
S_IP: 132.230.4.49 S_MAC: 00:02:B3:87:53:43
ARP Request Message
ARP Request (broadcast) Source
Destination
ARP Reply (unicast)
S IP: 132.230.4.47 S MAC: 00:10: DC:6B:D6:AA D IP: 132.230.4.49 D MAC: 00:02:B3:87:53:43
S IP: 132.230.4.49 S MAC: 00:02:B3:87:53:43 D IP: 132.230.4.47 D MAC:00:10:DC:6B:D6:AA
ARP Message Request / ARP Message Reply
5
What does ARP Spoofing exactly mean? ARP spoofing involves constructing forged ARP request and reply packets. By sending forged ARP replies, a target computer could be convinced to send frames destined for a computer A to go instead to B. When done properly, computer A will have no idea that this redirection took place. The process of updating a target computer’s ARP cache with forged entry is referred to as “ARP poisoning”.
To illustrate the power of arpspoofing, let us place ourselves in a hacker’s shoes. The following is an illustration of a sample network that a hacker has just gained access to. In this case, they have plugged their computer in to two ports off a switch and will be attempting to sniff the data traveling between one computer to another through a gateway. The hacker has the IP address of both computers A and B. Also we consider that routers have previously communicated, which means the gateway, switch, target computer will all have ARP entries.
Network Structure used in ARP Spoofing Hence, as the first step a hacker must do, is to determine what method they will take to gain access to the destination. While ARP spoofing would most likely work, flooding the switch with bogus MAC address would be formed. If we want to monitor the flow of data in a switched type of network it would be based on the following form based on the given diagram
6
Data flow using ARP spoofing
ARP Vulnerabilities Vulnerabilities are said to exist in ARP, when any system can spoof a reply to an ARP request and the system that will cache the reply would overwrite the existing entry and add the entry if one does not exist.
The OS that are vulnerable to ARP Spoofing are as follows ?
Windows 95/98/2000
?
Windows NT / XP
?
AIX 4.3
?
Linux
?
Netgear
?
Cisco IOS 11.1
The OS to protect against ARP spoofing is: ?
Sun Solaris systems
This appears to restrict cache poisoning; hence it makes the vulnerability of the OS to be much restricted.
7
ARP Attacks: The attacks are classified in to different types and they are: 1. Man in the Middle (MIM) 2. Denial of Service (DoS) 3. Hijacking 4. Cloning 5. Sniffing
Man in the Middle: A “man in the middle” attack is one of the type of attacks which is said to be performed when a malicious user inserts his computer between the communication path of two target computers. The malicious computer will forward frames between the two computers; so communications are not interrupted. The attack is performed as follows (where X is the attacking computer, and T1 and T2 are targets)
-
Joker poisons ARP cache of Batman and Robin.
-
Batman associates Robin’s IP with Joker’s MAC.
-
Robin associates Batman’s IP with Joker’s MAC.
-
All of Batman and Robin’s IP traffic will then go to Joker first, instead of
-
Directly to each other.
8
2) ARP attack
Batman 132.230.4.49
Robin Batman Traffic
Batman Cave GW 132.230.4.254
1) ARP attack
Robin (132.230.4.44)
3) Routing Joker (132.230.4.46)
MiM Attack
This is extremely potent when we consider that not only can computer be poisoned, but routers/gateways as well. All Internet traffic for a host could be intercepted with this method by performing a MiM on a target computer and the LAN’s router.
Denial of services: Updating ARP cache with non-existent MAC addresses will cause frames to be dropped i.e. because of limited size of ARP cache. These could be sent out in a sweeping fashion to all clients on the network in order to cause a denial of service attack. This is also side effect of Post MiM attack, since targeted computers will continue to send frames to the attacker’s MAC address even after the attacker had removed themselves from the communication path. To perform a clean MiM attack, the target computers would have to have the original ARP entries restored by the attacking computer.
9
Batman 132.230.4.49 2) ARP attack
Batman cave GW 132.230.4.254 3) ARP Attack
Dropped
Robin 132.230.4.44 1) ARP attack
Joker (132.230.4.46)
Dos Attack
Hijacking: Connection hijacking allows an attacker to take control of a connection between two computers using methods similar to the MiM attack. This transfer of control can result in any type of session being transferred. For example an attacker could take control of a telnet session after a target computer has logged in to a remote computer as an administrator.
Cloning: MAC addresses were intended to be a globally-unique identifier for each network interface produced. They were to be burned into the ROM of each interface and not to be changed but we are able to change the MAC address through software programs available, if we are changing it through means of hardware resources then it takes a lot more of time and work load. Linux users can even change their MAC without spoofing software, using a single parameter to “ifconfig”, the interface configuration program for the OS. An attacker could DoS as a target computer, and then assigns them self the IP and MAC of the target computer, receiving all frames intended for the target computer.
10
Sniffing: Switches determine which frames go to which ports by comparing the destination MAC on the frame against a table. This table contains a list of ports and the attached MAC address. The table is built when the switch is powered on, by examining the source MAC from the first frame transmitted on each port. Network cards can enter state called “promiscuous mode” where they are allowed to examine frames that are destined for MAC address other than their own.
ARP Spoofing Detection: While stopping ARP attacks is impossible due to the inherent part it plays in data transfer, spoofed ARP requests are very easy to detect. Although there are many tools and programs available that attempt to warn administrators of ARP attacks, they all basically work the same way. One program that does this is arpwatch. This program basically monitors all ARP/IP address pairing and alerts its user when changes occur. It does this by listening on the network, much like a sniffer, and comparing all captured replies against a database. Other programs take a snapshot of all related IP/MAC addresses, and periodically request updates from networked computers. However, these methods often result in numerous false alarms due to DCHP networks, which dynamically assign IP addresses. The only real solution for minimizing ARP attacks is to encrypt all data passing over the network. Although this is a possibility, it is not commonly employed due to the processing overhead and complexity of setup as there is no change to ARP but the traffic is readable.
ARP Tools and Utilities: There seems to be different types of tools that are said to be available in Internet that can be used for performing ARP Spoofing.
11
They are as follows: Dsniff: dsniff is a collection of tools for network auditing and penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g., due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. Hunt is a program for intruding into a connection, watching it and resetting it. It was inspired by products like Juggernaut or T-sight but has several features which can not be found in these products. Note that hunt is operating on Ethernet and is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segment. The hunt doesn't distinguish between local network connections and connections going to/from Internet. It can handle all connections it sees. Connection hijacking is aimed primarily at the telnet traffic but it can be used for another traffic too. The reset, watching arp... features are common to all connections.
ARPoison is a command-line tool for UNIX which creates spoofed ARP replies. Users can specify the source and destination IP/MAC addresses.
Ettercap is a powerful UNIX program employing a text-mode GUI, easy enough to be used by “script kiddies”. All operations are automated, and the target computers are chosen from a scrollable list of hosts detected on the LAN. Ettercap can perform four methods of sniffing: IP, MAC, ARP, and Public ARP. It also automates the following procedures: - Injecting characters into connections - Sniffing encrypted SSH sessions - Password collection - OS fingerprinting - Connection killing
12
Parasite is a daemon which watches a LAN for ARP requests, and automatically sends spoofed ARP replies. This places the attacking computer as the MiM for any computer that broadcasts an ARP request. Eventually, this result in a LAN-wide MiM attack and all data on the switch can be sniffed. Parasite does not do a proper clean up when stopped. This results in DoS of all poisoned computers because their ARP caches are pointing to a MAC address that is no longer forwarding their frames. Poisoned ARP entries must expire before normal operation can resume
Counter Measures: There is no universal defense against ARP spoofing. In fact, the possible defense is the use of static (non-changing) ARP entries. Since static entries cannot be updated, spoofed ARP replies are ignored. To prevent spoofing, the ARP tables would have to have a static entry for each machine on the network. The overhead in deploying these tables, as well as keeping them up to date is not practical for most LANs. Also of note is the behavior of static routes under Windows. Tests found that Windows still accepts spoofed ARP replies and use dynamic routes instead of static routes, nullifying any effect of using static routes under Windows (9X, NT, 2000 except XP). MAC cloning can be prevented by a feature found on high-end switches called Port Security (also known as Port Binding or MAC Binding). Port Security prevents changes to the MAC tables of a switch, unless manually performed by a network admin. It is not suitable for large networks, or networks using DHCP. Port Security does not prevent ARP spoofing. Aside from these two methods, the only remaining defense is detection. Arpwatch is a free UNIX program which listens for ARP replies on a network. It will build a table of IP/MAC associations and store them in a file. When the MAC address associated with an IP changes (referred to as a flip-flop), an email is sent to an administrator. Tests showed that running Parasite on a network caused a flood of flip-flops, leaving the MAC of the attacker present in Arpwatch’s emails. Ettercap caused several flip flops, but would
13
be difficult to detect on a DHCP-enabled network where flip flops occur at regular intervals. MAC cloning can be detected by using RARP (Reverse ARP). RARP requests the IP address of a known MAC address. Sending a RARP request for all MAC addresses on a network could determine if any computer is performing cloning, if multiple replies are received for a single MAC address. If a MAC flood is performed and the switch reverts to broadcast mode, a computer will have to enter promiscuous mode to examine the broadcast frames. Many methods exist for detecting machines in promiscuous mode. These can be found in the Sniffing FAQ, at http://www.robertgraham.com/pubs/sniffingfaq.html. Note that you can perform ARP spoofing without being in promiscuous mode since redirected frames will be routed to your MAC. It is important to remember that OS have their own TCP/IP stacks, and Ethernet cards have their own drivers, each with their own quirks. Even different versions of the same operating system have variations in behavior. Solaris is unique in its treatment of ARP replies. Solaris only accepts ARP updates after a timeout period. To poison the cache of a Solaris box, an attacker would have to DoS the second target machine in order to avoid a race condition after the timeout period. These DoS may be detected if the network has an Intrusion Detection System in place. Also we can protect the network from Spoofing and Sniffing attacks with Firewalls. But most personal firewalls are not capable of defending against or correctly identifying attacks below IP level. In UNIX environment, ipfw and ipf (IP Filter) and in Windows, Network Ice/ Black Ice provide sufficient protection against these spoofing attacks. Also another form of defense is Encryption. Encryption is an effective way to defend against dsniff and other sniffers. Encryption scrambles the network traffic, and gives obvious benefits in defending against sniffers. If communication between hosts systems is encrypted at the network layer there is little chance for programs such as Dsniff to gather useful information from the network since the attacker will not know
14
what packets contains authentication information and which do not. The security of the network from sniffer attacks is proportional to the strength of encryption used. There are several other tools which are able to detect systems which are in promiscuous mode. They are -
Anti-sniff snifftest Promisc
Experiment: A simple ARP table:
15
Man in the middle Attack: Target: 132.230.4.49 Attacker: 132.230.4.46 Gateway: 132.230.4.254
ARP spoofing using arpspoof command available from dsniff package
16
Ethereal capture of packets of the attacker machine
Ethereal Capture of packets in the target machine
17
Reference: ?
Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/dsniff
?
Sean Whalen, “An Introduction to ARP Spoofing” April 2001.
?
The Ingredients to ARP Poison, http://www.informit.com
?
ARP Attacks arp-sk in action by Frederic Raynal http://media.frnog.org/FRnOG_1/FRnOG_1-2.en.pdf
?
ARP Vulnerabilities, MISC – French security magazine, http://www.miscmag.com
?
ARP vulnerabilities and attacks by Mike Beekey
www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01-MikeBeekey.ppt
? Legions of the underground issue, http://www.legions.org/kv/kv7.txt ?
Measures to prevent security attacks in TCP/IP draft http://www.ietf.org/internet-drafts/drafts-dattathrani-tcp-ip-security01.htm
?
R. Stevens, TCP/IP Illustrated, Vol.1
18