Attacks. Author : Dibyendu Sikdar(oxhat.blogspot.in). The purpose of this research is to investigate and identify ARP Poison Attacks by analyzing the pcap files.
The purpose of this research is to investigate and identify ARP Poison Attacks by analyzing the pcap files captured by Wireshark.
Introduction ARP or Address Resolution Protocol is a link layer protocol. ARP protocol is used to convert an IP address to a physical address known as MAC address. MAC address is required when we want to send a packet to system connected to the same subnet. If a new packet arrives at the gateway, the gateways will look for the mac address of the destination IP address. The gateway uses the ARP table to find the MAC address and then it pushes the packet to that system. In case it does not know the MAC address it will broadcast an ARP Packet in a broadcast frame. A request ARP Packet has the IP address of sender , MAC address of sender , IP address of receiver and in the MAC address field of receiver it will use a value of 00:00:00:00:00:00.Now it will send this ARP packet to all the systems connected to the subnet. When the. Here is an example of is how it works. System A having an IP address 192.168.0.3 and mac address 00:03:ff:98:98:03 wants to know who has an IP address 192.168.0.1 in the network. So it will create a broadcast frame, encapsulate the ARP query in it and this message will be forwarded to all the systems connected to the network. Who has 192.168.0.1? Tell 192.168.0.3 .
Every system accepts the ARP Request and process it .So when the IP address of the destination system matches with the IP address of the target inside the ARP Request then the system encapsulate its mac address inside an ARP Reply and sends it back to the sender.
So in its ARP Table of 192.168.0.3 will map this IP address to the MAC. It will cache the information and will maintain it unless there is a change in its value.
Oxhat Security
Page 1
ARP Poison Attack We have seen that ARP is plays a role when systems connected to same subnet. There are many ways by which we can execute an ARP Poison Attack.
Single Victim - Poison the gateway with a fake ARP packet having the IP address of the victim and the MAC address of the attacker. Multiple Victim – Poison the gateway by flooding the network with fake arp packets having the ip address of the victims and the MAC address of the attacker.
So a possible attack will be to poison the gateway with a specially crafted ARP reply having the MAC address of the attacker and the IP address of the victim. Since the gateways ARP cache will be poisoned by the crafted ARP request, the new ARP cache will contain the MAC address of the attacker and the IP address of the victim. Attacker’s main objective is to redirect the traffic to him/her rather than the victim. So now if any new packets arrive at the gateway, the gateways will look for the mac address of the destination IP address. The gateway uses the ARP table to find the mac address and then it pushes the packet to that system and hence the attacker will receive the packets that are meant for the victim.
Oxhat Security
Page 2
Analyzing PCAPs files to detect ARP Poison Attack Here is a PCAP file captured by Wireshark. Using this file I will give a demo
In the filer area I will write “arp” to display only frames having ARP packets.
Oxhat Security
Page 3
Let us have a look at the frames. We will find ARP request has a length of 60 and ARP reply has a length of 40. So after analyzing frames we find there are 4 IPs. Since 192.168.0.1 is reserved for gateway it means there are 3 systems which are connected to a LAN. They are
192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.30
- Gateway - System 1 - System 2 - System 3
ARP Replies from the Gateway of the 3 Systems
Oxhat Security
Page 4
So the current ARP cache at the gateway will be something like this IP Address 192.168.0.2 192.168.0.3 192.168.0.30
MAC Address 00:03:ff:98:98:02 00:03:ff:98:98:03 00:03:ff:98:98:30
I have analyzed other frames one by one but arp request is bit different and also suspicious.
So what makes it so suspicious? Comparing the ARP request information with the gateway’s ARP cache table we can see that the MAC address of the sender and the IP address of the sender are different. The IP address 192.168.0.3 has a mac address 00:03:ff:98:98:03. But in this request it is being forged with a mac address 00:03:ff:98:98:02 which belongs to the system having IP address 192.168.0.2 . One more interesting thing is that it is not encapsulated in a broadcast frame. So we can understand the attacker is having an IP address 192.168.0.2 and the victim is having an IP address 192.168.0.3
So when the gateway will find this an ARP request then it will assume that 192.168.0.3 is a newly connected system and does not have the MAC address of 192.168.0.1 so it will reply 192.168.0.3 with its own MAC address and also update its own ARP cache with the new forged MAC value for the IP address 192.168.0.3
Oxhat Security
Page 5
So the ARP cache of the gateway will become something like this IP Address 192.168.0.2 192.168.0.3 192.168.0.30
MAC Address 00:03:ff:98:98:02 00:03:ff:98:98:02 00:03:ff:98:98:30
So now that the gateway has been poisoned with a fake ARP request, all the traffic that was meant for IP address 192.168.0.3 will be sent to the system 192.168.0.2.
Conclusion So we have seen how we can identify the ARP Poison attacks by analyzing the PCAP files. Some defenses against this types of attacks are using static arp tables and also not allowing more than 1 MAC per IP address.
References
Computer Networking Top Down Approach (Kruse & Ross) Wikipedia - http://en.wikipedia.org http://searchnetworking.techtarget.com/ Hackipedia - http://hakipedia.com/index.php/Hakipedia PCAP file – SecurityOveride.com (http://securityoverride.org)
