An Introduction To ARP Spoofing Other Attacks Presenting
- Slides: 28
An Introduction To ARP Spoofing & Other Attacks Presenting : Philip Yakubovsky & Ohad Benita
INTRODUCTION A computer connected to an IP/Ethernet LAN has two addresses IP Address • Virtual address • Assigned via software MAC/Ethernet Address • Address of the network card • In theory, unique & unchangeable
INTRODUCTION computerconnectedtoto AAcomputer IP/Ethernet. LAN anan. IP/Ethernet hastwo twoaddresses has IP Address • Used by applications • Independent of whatever network technology operates underneath it • Each computer on a network must have an unique IP address to communicate MAC/Ethernet Address • Necessary for Ethernet to send data • Independent of application protocols • Divides data into 1500 byte frames • Each frame has a header containing the MAC address of the source and destination computer.
INTRODUCTION IP & Ethernet must work together!
OPERATION ARP Request Does anyone have IP 10. 0. 0. 3? If so, tell me your MAC address! ARP 10. 0. 0. 1 (IP) 10. 0. 0. 2 (IP) 00. 00. 00. 01 (MAC) 00. 00. 00. 02 (MAC) 10. 0. 0. 3 (IP) 10. 0. 0. 4(IP) 00. 00. 00. 03 (MAC) 00. 00. 00. 04 (MAC) network Company Logo
OPERATION ARP Request 10. 0. 0. 1 (IP) 00. 00. 00. 01 (MAC) I do!!! My MAC address is 00. 00. 00. 03 ARP 10. 0. 0. 2 (IP) 00. 00. 00. 02 (MAC) 10. 0. 0. 3 (IP) 10. 0. 0. 4(IP) 00. 00. 00. 03 (MAC) 00. 00. 00. 04 (MAC) network Company Logo
OPERATION ARP Cache • Kept locally to minimize number of ARP Add. Your. Title Add requests being broadcast • Updates the cache with the new IP/MAC associations for each reply • Stateless protocol - Most operating systems will update the cache if a reply is received, regardless of whether they sent out an actual request
OPERATION ARP Spoofing • Involves constructing forged ARP replies Ad Your Title • Takes advantage of the ARP cache • Process of corrupting cache is “Poisoning”
OPERATION ARP Spoofing ARP Request ARP Cache
OPERATION ARP Spoofing ARP Response ARP Cache
OPERATION ARP Spoofing ARP Response ARP Cache
OPERATION ARP Spoofing ARP Response ARP Cache
Attacks – Sniffing v. Promiscuous mode - Allows network cards to examine frames that are destined for MAC addresses other than their own v. Switches - Allows network cards to examine frames that are destined for MAC addresses other than their own
Attacks - Sniffing v Man-in-the-Middle Attack (Mi. M) • A malicious user: – Inserts his computer between the communications path of two target computers – Forwards frames between the two target computers so communications are not interrupted • All Internet traffic could be intercepted if this was performed between the target and router
Attacks – Sniffing v. MAC Flooding • Send spoofed ARP replies to a switch at an extremely rapid rate • Switch’s port/MAC table will overflow • Results vary – Some switches will revert into broadcast mode, allowing sniffing to then be performed v. Storms § Poisoning caches with the broadcast address could cripple large networks
Attacks - Do. S v. Denial of Service § Update ARP caches with non-existent MAC addresses • Causes frames to be dropped • Could be sent out in a sweeping fashion to Do. S all clients in the network § Possible side effect of post-Mi. M Attacks
Do. S - SYN Attack v. The SYN attack is a common denial of service (Do. S) technique characterized by the following pattern: § Using a spoofed IP address an attacker sends multiple SYN packets to the target machine. § For each SYN packet received, the target machine allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address.
Do. S – SYN Attack § The target machine doesn't receive a response from the attacking machine, it attempts to resend the SYN-ACK five times, at 3, 6, 12, 24, 48 sec. intervals, before unallocating the resources 96 seconds after attempting the last retry. § If you add it all together, you can see that the target machine allocates resources for more than 3 minutes to respond to just one SYN attack.
Attacks - Hijacking v. Connection Hijacking § Allows an attacker to take control of a connection between two computers § Can result in any type of session being transferred
Attacks - Cloning v. MAC Address cloning § MAC addresses intended to be globallyunique and unchangable § Today, MAC addresses can be easily changed § An attacker could Do. S a target computer, clone the target’s MAC address, and recieve all frames intended for the target
DEFENSES D E F E N S E S No universal defense Static (non-changing) ARP entries Port security (or Port Binding, MAC Binding) Detection: • ARPWatch • Reverse ARP (RARP)
Defenses – Static Route v. Static Routes § ARP caches have static (non-changing) entries § Spoofed ARP replies are ignored § Creates lots of overhead • Each ARP cache must have static entry for every computer on the network • Non practical for most LANs § Result can also vary depending on the operating system
Defenses – MAC Binding v. MAC Binding § Feature found on high-quality switches § Does not allow the MAC address associated with a port to change once it has been set § Legitimate changes can be performed by the network administrator § Does not prevent ARP spoofing, but does prevent MAC cloning & spoofing
Detection v. Detection § ARPWatch (Free UNIX Program) • Listens for ARP replies on the network and builds a table of IP/MAC associations • When IP/MAC associations change (flip-flop), an email is sent to the administrator § Reverse ARP (RARP) • Requests the IP of a known MAC address • Can be used to detect MAC cloning § Promiscuous Mode Sniffing • Many methods exist for detecting machines in promiscuous mode
DETECTION The exact behavior of ARP varies with Different operating systems Different operating system versions Different network hardware
CONCLUSION v. ARP Spoofing is one of several vulnerabilities which exist in modern networking protocols. - IP Spoofing - TCP sequence prediction - ICMP-based attacks v. It is unlikely that this problems will be addressed until abused on a wide enough scale to force a change in the status quo.
Company Logo
- Ettercap dhcp
- Apa itu spoofing
- What is web spoofing
- Dns spoofing
- Spoofing
- Spoofing
- "mitm" -man-in-the-middle -spoofing
- Software agent meaning
- Types of position
- Types of interior display
- How should you properly present room service account
- Name of presenting organization
- Different methods of presenting information
- Dateline dalam berita
- Presenting diameter in occipito posterior
- A chemist shorthand
- Presenting insights and findings using written reports
- Ethics of public speaking
- Chemist shorthand way of representing chemical reaction
- Advertising is which form of presentation
- Presenting research methodology
- Presenting a research proposal
- Presantation of business information
- Presenting problem
- Presenting the product
- Presenting complaints of hypertension
- Presenting literature review
- Thank you, ladies
- Pengertian presenting report