Arp spoofing (arp picture book 7 from visual land animations)

3. Brief ： ARP spoofing Animation Link 05/16/11 www.visualland.net Goal. Visualize how hackers exploit ARP's weakness to fool hosts and steal data with fake ARP reply. Topology: 3 hosts H1, H2, H3, are connected by a switch S1. H3 is the hacker. Steps: 1) When H1 sends ARP request to find H2's MAC, S1 floods the ARP frame. H3 learns H1's MAC. 2) H2 receives ping and can't echo H1. It sends ARP request to find H1's MAC. S1 floods it. Hacker is able to learn H2's MAC. 3) H3 pretends as H1 and sends a fake ARP reply to H2. H2 update ARP cache with the new "H1" MAC. 4) H1 ping H2. H2 sends echo. Switch forwards echo to H3, not H1.

5. H2, Hacker learn H1’s MAC 05/16/11 www.visualland.net - H2 receives ARP request, checks its sender/target's ip/mac, adds H1's MAC to ARP cache, and sends an ARP reply back tyo H1. - H3 (Attacker) receives ARP request, reads protocol's sender ip/mac, and adds H1's MAC to its ARP cache. H3 is a hacker. It ignores the target. It interests in finding sender's address. This is a side effect of broadcasting and flooding: everyone can receive it.

6. H1 ping H2 05/16/11 www.visualland.net When receiving ARP Reply, H1 updates ARP cache, changes (IP.H2, Incomplete) to (IP.H2, MAC.H2) Then H1 ping H2 again. S1 forwards ping to H2, no flooding this time.

7. H2 can’t echo: ARP Request 05/16/11 www.visualland.net H2 receives ping but can't send echo back. Echo fails due to an ARP miss. H2's ARP cache does not contain H1's MAC. So H2 sends an ARP request.

8. Hacker learns H2 MAC 05/16/11 www.visualland.net - S1 receives ARP request and floods it to H1, H3. - When H1 receives ARP request, it sends ARP reply back to H2 to tell its MAC. - When H3 receives H2's ARP request, it steals H2's MAC and stores it in ARP cache. Now H3 has both H1 and H2's MACs. It is ready to act now.

9. Hacker sends ARP Reply to H2 05/16/11 www.visualland.net While H1 is sending ARP reply to H1, hacker (H3) starts to attack. H3 sends an ARP reply to H2 with fake IDs: ARP's sender ip = H1's IP, sender mac = H3's MAC. His goal is to fool H2. It wants H2 to think that H1 has changed its MAC address and the new MAC is H3's MAC. Click ARP Reply to see fake ID in protcol header..

10. H2 is fooled by Attacker 05/16/11 www.visualland.net H2 receives two ARP Replies. - The first one is from H1. H2 adds a new entry (IP.H1, MAC.H1) to its ARP cache. - The second ARP reply is from H3. H2 changes H1's ARP cache entry from (IP.H1, MAC.H1) to (IP,H1, MAC.Attacker). Now H2 thinks H1's MAC is MAC.Attacker. it is being fooled. But H2 does not know.

11. H1 ping H2 05/16/11 www.visualland.net Now H1 ping H2 again. It is switched by S1 to H2.

12. H2 echo H1. But received by H3 05/16/11 www.visualland.net When H2 receives ping, it responds an echo. H2 encapsulates echo's Link header destination addresses with (IP.H1, MAC.Attacker). When S1 receives echo, it uses echo's destination MAC (MAC.Attacker) to lookup MAC table and forwards echo to F0/3. As a result, H3 (the Attacker) has receives the echo, not H1. Note: This tutorial show how ARP spoofing works. Hackers can do many harmful things. E.g., alter data and retransmit packets to target, store data and use it for illegal actions.

13.

14.

Editor's Notes

1. What is ARP Spoofing? Answer: An attacker node sends ARP Reply to a victim with a fake identity and corrupts the victim’s ARP cache. Next time, when the victim wants to send data to other nodes, packets are received by the attacker mode. It can then copy or modify data and forward packet to the target nodes. 2. How does ARP Spoofing work? Answer: It takes several steps. The key is attacker sending an ARP Reply with fake identity. 1) In a 3-node LAN, node A wants to send packets to node B, but does not know B’s MAC. A sends a broadcast ARP Request to find B’s MAC. 2) The attacker node C receives ARP Request and saves A’s (IP, MAC) in its ARP cache. 3) When B wants to send a packet to A, it first sends a broadcasting ARP Request to find A’s MAC. 4) Attacker receives this ARP Request and stores B’s (IP, MAC) in its ARP cache. 5) Now the attacker knows both A and B’s addresses. It sends an ARP Reply to B with fake identities: Source IP is IP_A, Source MAC is MAC_C. C is telling B: I am A, my MAC is MAC_C. 6) B trusts ARP Reply it received and changes its ARP cache entry (IP_A, MAC_A) to (IP_A, MAC_C). 7) When B wants to send packets to A, it encapsulates the packet by i) using IP_A for the network destination address; ii) using MAC_C for its link destination MAC. As a result, the packet is received by C, not A. 8) When the attacker receives packets, it can store data then send to A, or modify data before forwarding them to A. This change is transparent to A and B. They are unaware of the attacker 3. Why ARP Spoofing? There is an advantage to learn or modify other people’s data. For example, military spies, financial transactions. ARP is a simple protocol. It's not hard to fake identities with ARP. There are software tools available. 4. How to prevent ARP spoofing? No much. Periodically flush ARP cache can remove fake MAC addresses. But spoofing tool can easily send more ARP Reply to inject false MAC into ARP caches.
ARP 动画特色可视化。观察 ARP 包在不同的拓扑上如何被洪泛、转发， ARP 表怎么被更新，数据包怎么用 ARP 表封装报头。说白。把协议的要点、关键细节相结合，用白话说明 . 用漫画气泡表达节点间的互动性、协议的因果关系。辅助教材。一般的网络书籍用 3-5 页严谨精确说明 ARP 知识点，这套动画用实例要点说明 ARP 及其它设备、协议、应用的关系。可以作为辅助教材，配合教科书。 Visualland.ney ( 北冰洋软件 ) 有两种动画、理论动画的数据是作者编辑的，动画的数据、状态以示意为主，适合初学者。实验动画的数据是从路由器采集，可以用 pcap 检查原始数据包。

Arp spoofing (arp picture book 7 from visual land animations)

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

Arp spoofing (arp picture book 7 from visual land animations)

Editor's Notes