- Oct 18, 2002
As we learned, Ethernet devices use MAC addresses to communicate. On top of this fundamental layer, other layers are used that are easier to read and understand, such as DNS names, WINS names, and IP addresses. In addition, we also learned that a MAC address to IP address table is usually stored locally on each computer. This helps speed up data transfer because the MAC address doesn't have to be verified each and every time one device wants to communicate with another device. However, this advantage has a negative side.
By storing the MAC addresses in the ARP table, a potential weakness arises. What would happen if a remote hacker could control an ARP table of a computer? They could change MAC to IP address entries, which could cause traffic to be redirected from the correct target to a target of the hacker's choice.
All MAC addresses are fictitious. They were selected to make illustration easier to understand. Do not attempt this on a network you do not OWN (and this doesn't mean illegally own).
In our example, a hacker wants to be able to intercept and sniff all data passing between computer A and the gateway. This would be one of the first choices for any hacker, due to the popularity of the Internet and the number of secure items that typically pass through a gateway. Another target would be an email server, Unix server (with TELNET), or an FTP server. Since these services typically send passwords in plain text, it would not take long before a hacker could glean a few passwords from the network.
Depending on how a hacker wanted to proceed, it is possible to attack the switch first. The reason for this is that the switch regulates the flow of data between its ports. It actively monitors the MAC address on each port, which helps it pass data only to its intended target. This is the main difference between a switch and passive hub. A passive hub has no mapping, and thus broadcasts line data to every port on the device. The data is typically rejected by all network cards, except the one it was intended for. However, in a hubbed network, sniffing data is very easy to accomplish by placing a network card into promiscuous mode. This allows that device to simply collect all the data passing through a hubbed network. While this is nice for a hacker, most networks use switches, which inherently restrict this activity.
However, the extra data management on the switch takes time and processing power. The following question then arises: What happens if the switch is asked to process a constant stream of MAC addresses? In certain circumstances and on certain switches, this will cause the switch to go into a fail-safe mode, in which it basically turns into a hub. In other words, by overloading the switch, a hacker could have access to all the data passing through the switch! One tool for doing this is called "macof", which is illustrated in Figure 3. To use "macof", you will need to install the 'dnsiff' suite of tools available at "http://monkey.org/~dugsong/dsniff/".
Figure 3 The macof tool, flooding the LAN with false MAC addresses in hopes of overloading the switch.
While this would be nice for any hacker, it doesn't usually work. Instead, a hacker needs to find a way to control the ARP tables of the Ethernet devices. To illustrate, we will walk through the spoofing of our own ARP table.
Typically, an Ethernet devices ARP table is updated when they request the MAC address of another device, or they need to communicate with another device. This is easy to duplicate by looking at a before and after shot of the ARP table of your computer, which we previously demonstrated. To see this again, click Start, Run and type "CMD" (for Windows NT/2K/XP) or "command" for all other flavors of Windows. If in *nix, you just need to open a shell.
Once the shell window opens, type "arp -a" to see the current ARP table. The following is an example:
Address HWtype HWaddress Flags Mask Iface 192.168.0.1 ether 00:10:DB:14:7B:70 C eth0
Depending on whether or not you have connected to any other Ethernet devices, you may have more or fewer entries. However, to add one, simply ping a network device that is not listed. To do this, type "ping <ip address>" in the same shell window. When at least one ping has completed, hit Control+C to stop the ping program and then type "arp -a" again. You should now see a new entry, listing the new IP address and its corresponding MAC address. The following is my new ARP table after ping IP 192.168.0.5. Note the different MAC addresses.
Address HWtype HWaddress Flags Mask Iface 192.168.0.1 ether 00:10:DB:14:7B:70 C eth0 192.168.0.5 ether 02:07:01:24:29:64 C eth0
Now that you understand how the ARP table is updated, it is time to start having some fun! The first thing we will do is prove to you that the ARP table can be 'lied' to. To illustrate, let's use the "arp" command again. This time, instead of just listing the ARP entries, we will make a manual, or static entry. In fact, we will tell our computer that the MAC address of the two computers listed in our ARP table are the same. As you know, this is theoretically impossible since the MAC address is supposed to be a globally unique number. To add this entry, use the "arp -s <IP address> <MAC address>" command. In our example, we will type "arp -s 192.168.0.1 02:07:01:24:29:64". Once this is done, we take another look at our ARP table by using the "arp" command yet again. The following is the results of our tinkering with the ARP table.
Address HWtype HWaddress Flags Mask Iface 192.168.0.1 ether 02:07:01:24:29:64 CM eth0 192.168.0.5 ether 02:07:01:24:29:64 C eth0
Do you see the problem? Note that both entries in the HWaddress field are the same! Obviously, we now have a problem. To correct this problem, you only need to use the "arp -d" command to remove all arp entries. You will WANT to do this as soon as possible because incorrect ARP entries will cause havoc for your network connectivity.
Playing with ARP tables can cause your network to stop working! Do not do this on a network you do not "own." For example, if you statically replace your gateway's IP address ARP entry with a false entry, you WILL lose Internet connectivity!
At this point, you know that the ARP table can be lied to locally; however, you can also lie to an arp table remotely! In order to do this, an Ethernet device only needs to receive a spoofed, or forged ARP reply packet. While there are many programs available online that can do this, we will demonstrate ARP spoofing using the "arpspoof" program included in dnsiff suite.
To illustrate the power of arpspoof, let's place ourselves in a hacker's shoes (though this may not be the most pleasant of places to be). The following is an illustration of a sample network that a hacker has just gained access to. In this case, they have plugged their computer into two ports off a switch and will be attempting to sniff the data traveling between 192.168.0.3 and the router (gateway) 192.168.0.1. The hacker has the IP addresses of 192.168.0.5 and 192.168.0.6. See Figure 4 to see the general layout of the network. We will also assume that 192.168.0.3, and the router have previously communicated, which means the gateway, switch, and target computer will all have ARP entries.
Figure 4 General network diagram.
Again, the first step a hacker must take is to determine what method they will take to gain access to the data. While ARP spoofing would most likely work, flooding the switch with bogus MAC addresses would take far less time. Therefore, one would assume that this method would be employed first. In other words, a security-conscious network administrator could place a warning system in place that monitored the network for the use of a program such as macof. However, since this works less often than a hacker could hope for, the next step is to play with ARP entries and intercept data flowing between the target and another device (typically the gateway).
Before attempting to try this, ensure that IP Forwarding is enabled on the "attacking" computer. Without this enabled, all traffic between target and gateway will be blocked! This is a dead giveaway that something is wrong.
To successfully intercept the data, the attacker's computer needs two network cards and an operating system that allows full control over data flow (Linux is the typical choice). This will allow the attacker to communicate with the target on one NIC and the destination point (gateway) with the other NIC. The attacking computer also needs to have IP_Forwarding enabled so that data will pass from one NIC to the other. To do this, type the following in a shell window (Linux):
echo 1 > /proc/sys/net/ipv4/ip_forward
Once complete, type "cat /proc/sys/net/ipv4/ip_forward". This should result in a reply of "1".
Computer A (192.168.0.4) wants to communicate with gateway (192.168.0.1) to access Internet.
Computer A sends out ARP request to gateway requesting MAC address.
Switch receives request (which is broadcasted) and passes this request along to every connected computer. Switch also updates its internal MAC address to port table.
Gateway receives ARP request from Computer A, and replies with MAC address.
Gateway updates internal ARP table with MAC address and IP address of Computer A.
Switch receives ARP reply to Computer A, checks its table, and finds Computer A's MAC address listed at port 1. It passes this information to port 1 and then updates MAC table with MAC address from gateway.
Computer A receives ARP information from gateway, and it updates it ARP table with this information.
Computer A sends information out to gateway using updated MAC address information, and communication channel is established.
At this point, the hacker needs to quickly trick both the gateway and the target computer into passing all information to him. This is handled by opening two shells and executing arpspoof twice (once to trick the target into thinking the hacker's computer has the MAC address of the gateway, and the other into convincing the gateway that the hacker's computer has the MAC address of the target). In other words, the hacker wants to turn his computer into a router, which means all data traveling between the target and the gateway has to first pass through the hacker's computer. Figure 5 illustrates the data flow once this has been accomplished.
Figure 5 Data flow using ARP spoofing techniques.
At this point, the hacker owns the data. He can capture it, monitor it, change it, and even perform advanced trickssuch as controlling SSL connections to "secure" sites. However, there are ways to detect ARP spoofing.