ARP Spoofing

Hi all, I'm beginner here with level of "CCNA INTRO", and CCSP will be my next step. I found out some programs that can monitor network traffic and can throw out any undesired PC from the network. Those programs are Netcut, Win_ARP_Spoofer. I read in some Security-related websites that these programs send fake ARP requests and replies to do that, but i still can't imagine how ARP requests do that harmful effect. As i understood from CCNA INTRO book ARP means that u have an IP address and needs its corresponding MAC address ..., right ? My questions:

1- How those programs work ? 2- How do Switches accept ARP replies without sending ARP requests in advance ? " Isn't it a security hole ? " 3- If those programs use ARP Requests not Replies how can ARP Requests cause this harmful effect ? " I'm sure that they use ARP requests and/or replies as i found in WinArpSpoofer Options. " Thanx in advance, luckyboy
Reply to
luckyboy
Loading thread data ...

Another interesting one is Ettercap.

formatting link

Here is a nice explanation on how the mac spoofing attacks work:

formatting link

The switches keep track of which mac addresses are on which ports. That way they don't have to send the packet to each port. Else it would be a hub and everyone would see all the traffic. Some attacks on the switch fill up that memory table and force it to turn into a hub.

They probably use a combination of the two. Requests to figure out what mac/ip combinations are out there, and replies to do the poisoning.

Reply to
J Wessels

right. arp request: "who-has 1.2.3.4?" reply: "00:1b:23:... has 1.2.3.4"

I am on "1.2.3.4". I want to redirect traffic from a very interesting server in my network (1.2.3.5) to my computer, so I send an ARP request:

"who has 1.2.3.5" and reply myself with my MAC. So everybody in my subnet now thinks I have the IP. Of course I should make sure the real server does not answer, or answers late.

in makes no difference, if they get a fake reply to their own request or some others. If they would re-send the request, well, they probably would get the same answer.

both. requests and of course fake replies.

greetings, mike

Reply to
Michael Würtz

Thanx both "J Wessels" and "Michael W=FCrtz" luckyboy

Reply to
luckyboy

i read all links u support, but it inflamed some questions on my head Kev siad: "Now look at the Port Stealing slide. Send layer 2 packets with "source address equal to victim host address" and "destination address equal to its own mac address". Taking these in reverse order, the switch will direct the packet to the port mapped to the destination address, the attackers "own mac address"; i.e. the packet will return to the attackers host (so no other hosts will notice the packet). At the same time, the switch will record the source address of the packet against the port it came from in the CAM table; i.e. the victim host (MAC) address against the attacker's port. If you looked in the CAM table, you'd now find the attackers port mapped to both the attackers MAC address and also the victim's MAC address" Great, but:

1- according to Switches logic switch may forward a frame to any imaginable port except that which he receives the frame on. 2- How can it be guaranteed that the victim will not send any frame at this period of time i.e. "hacking period before restoring the true ARP table" remember that if he sent any frame then the arp table will change according to source port.

luckyboy

Reply to
luckyboy

When a packet goes out, it will be tagged with some destination mac address. The attacker would only get the packet if the switch either:

  • Thinks the victim's mac address is on that attacker's switch port
  • or the IP address (layer 3) belongs to the attacker's real mac address

In the one is tricking the switch with a bunch of arp broadcast spoofs and replies, the second one tricks out the hosts on the network with arp broadcast spoofs.

Any time the victim sends out a packet the first spoof method of tricking wouldn't be as effective - at least till the attacker sends out another broadcast to update the switch's CAM table.

In the second one, the packets would go to the attacker till the victim resends an arp broadcast reply to update everyone's arp tables. That can be detected though by the attacker if on the same network segment, and so the attacker could then resend a rebroadcast of the arp reply repointing that layer 3 ip address to the attacker's layer 2 mac address.

Reply to
J Wessels

Thanks J Wessels for explanation of the IP and MAC methods. Thanks Michael W=FCrtz for explanation of IP method.

Reply to
luckyboy

Nice, i noticed that this logic work only if broadcasting or multicasting detected. luckyboy

Reply to
luckyboy

formatting link
HTH, HAND, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.