1 / 17

ARP Cache Poisoning

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network. Scott Helme - 6 th Aug 2013 - scotthel.me. Introduction.

uyen
Télécharger la présentation

ARP Cache Poisoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network. Scott Helme- 6th Aug 2013 -scotthel.me

  2. Introduction The Address Resolution Protocol (ARP) facilitates communications on a Local Area Network (LAN). It does this by providing a means for clients to resolve a Layer 3 Internet Protocol (IP) Address (192.168.1.5) to a Layer 2 Hardware Address (af:23:b4:7d:f5:c9) or Media Access Control (MAC) address. The ARP protocol employs no form of security or authentication and is a simple request and reply protocol.

  3. Example For Scott to send packets to Dave over the LAN he needs to know Dave’s MAC address. Scott Dave ARP Request Who is 192.168.0.6, FF:FF:FF:FF:FF:FF? I’m Scott, 192.168.0.5, A3:DD:B4:12:3A:4F. ARP Response Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F. I’m Dave, 192.168.0.6, B7:C2:11:F2:BB:E6. 192.168.0.6 B7:C2:11:F2:BB:E6 192.168.0.5 A3:DD:B4:12:3A:4F

  4. Example Scott was able to send the ARP request to Dave without knowing his MAC address by using the broadcast address FF:FF:FF:FF:FF:FF. A packet with the broadcast address as the destination is delivered to every client on the current LAN segment, ensuring Dave will receive it. Once we have Dave’s MAC address, we can send packets to him instead of everyone on the network. Scott ARP Request Who is 192.168.0.6, FF:FF:FF:FF:FF:FF? I’m Scott, 192.168.0.5, A3:DD:B4:12:3A:4F. 192.168.0.5 A3:DD:B4:12:3A:4F

  5. Example Dave When Dave received the ARP request, he identified it was for him and responded to the request using the details in the initial request. ARP Response Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F. I’m Dave, 192.168.0.6, B7:C2:11:F2:BB:E6. 192.168.0.6 B7:C2:11:F2:BB:E6

  6. Example Scott Dave Now Scott and Dave have exchanged details they can communicate with each other directly. They both store a record in their ARP Cache of the other clients IP and MAC address so they can perform a lookup later if needed. This prevents the need for subsequent ARP requests and reduces network traffic. 192.168.0.6 B7:C2:11:F2:BB:E6 192.168.0.5 A3:DD:B4:12:3A:4F

  7. The Problem Scott Dave During the ARP request/response exchange neither client took any steps to verify the identity of the responding client, or the authenticity of the response sent. This presents an opportunity for a 3rd party to impersonate clients on the network. 192.168.0.6 B7:C2:11:F2:BB:E6 192.168.0.5 A3:DD:B4:12:3A:4F

  8. Attacker The Problem ARP Requests are sent to all clients on the network as they use the broadcast MAC address FF:FF:FF:FF:FF:FF. 192.168.0.7 C4:D3:46:B1:EE:BA Scott Dave 192.168.0.5 A3:DD:B4:12:3A:4F 192.168.0.6 B7:C2:11:F2:BB:E6

  9. Attacker The Problem Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F. I’m Dave, 192.168.0.6, C4:D3:46:B1:EE:BA. ARP Responses are not verified and if any client receives a new response they will update their ARP cache assuming the sender has changed their MAC or IP address. 192.168.0.7 C4:D3:46:B1:EE:BA Scott Dave 192.168.0.5 A3:DD:B4:12:3A:4F 192.168.0.6 B7:C2:11:F2:BB:E6

  10. Attacker The Problem Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F. I’m Dave, 192.168.0.6, C4:D3:46:B1:EE:BA. As long as the attacker regularly sends the forged response to the target (Scott), they will continue to send traffic to the wrong location. If the Attacker then resends the traffic to the correct destination there is no interruption on the LAN and Dave is not aware the Attacker can view his traffic. 192.168.0.7 C4:D3:46:B1:EE:BA Scott Dave 192.168.0.5 A3:DD:B4:12:3A:4F 192.168.0.6 B7:C2:11:F2:BB:E6

  11. Attacker The Problem To Dave, 192.168.0.6, C4:D3:46:B1:EE:BA. The password is “SuperSecret1234”. From Scott, 192.168.0.5 A3:DD:B4:12:3A:4F To Dave, 192.168.0.6, B7:C2:11:F2:BB:E6. The password is “SuperSecret1234”. From Scott, 192.168.0.5 A3:DD:B4:12:3A:4F 192.168.0.7 C4:D3:46:B1:EE:BA Scott Dave This is a successful implementation of a MITM attack and allows the attacker to view all traffic sent by Scott to Dave. 192.168.0.5 A3:DD:B4:12:3A:4F 192.168.0.6 B7:C2:11:F2:BB:E6

  12. Client The Scope Client Attacker At this point, the attacker can choose which targets on the network he wants to MITM and impersonate them using forged ARP packets to poison their ARP Cache. Client 192.168.0.7 C4:D3:46:B1:EE:BA Client Client

  13. A gratuitous ARP can be sent by a client at any point, usually when their IP address or MAC address has changed for some reason. This allows other clients to update their ARP cache and maintain current records. An attacker can send out a forged gratuitous ARP without needing to wait for an ARP request from a target on the network. The Bigger Problem Default Gateway Attacker Broadcast To Everyone! Here are my updated details! 192.168.0.1 C4:D3:46:B1:EE:BA 192.168.0.7 C4:D3:46:B1:EE:BA 192.168.0.1 D7:AD:F1:C3:A4:D9 The attacker has just told all clients on the network that he is the default gateway!

  14. Client The Bigger Problem Client Default Gateway Attacker Client Client 192.168.0.7 C4:D3:46:B1:EE:BA 192.168.0.1 D7:AD:F1:C3:A4:D9 Client Client Here the attacker can monitor all Internet traffic on the LAN that isn’t being sent using TLS. He could also simply not forward on the traffic and bring the entire network down as no clients would be able to communicate at all. This is known as a Denial of Service (DoS) attack.

  15. Mitigation • There is no replacement for ARP on a LAN so ARP Cache Poisoning is a difficult threat to defend against. • You can create static ARP entries on client machines for important things like the default gateway. The only problem is if the IP or MAC genuinely changes no client will listen to the new details and depend upon the incorrect static entries which now need to be updated. • ARP Cache Poisoning actually has genuine advantageous uses. If a web server on your LAN went down, you could invisibly direct all clients to a backup server without needing to alter any configurations. Simply broadcast a forged ARP packet with the MAC address for the new server. • You can employ monitoring software to listen and try to detect forged ARP packets. They are easy to spot by maintaining a historic record of ARP broadcasts and looking for an ARP packet with the same IP address but a different MAC address to one previously reported.

  16. Conclusion Whilst you could statically assign all ARP entries on the network this is not a realistic solution and near impossible to maintain on large networks. Detection software can let you know when someone is attempting to ARP poison clients on your network and event attempt to mitigate it but this is still a reactive measure and not a form of prevention. ARP Cache Poisoning presents a serious threat over a LAN (this includes WiFi) which stems from an inherent lack of security in the protocol itself. The easiest way to protect your Internet traffic whilst using a network that may contain malicious clients is to use sites protected with TLS. As TLS offers end to end encryption the attacker would only be able to view the encrypted version of your traffic and as such it is useless to them. There are of course other options like using a Virtual Private Network (VPN), which will be covered in a later presentation, but require considerable cost and maintenance.

  17. Thanks You can find more info covering this and other forms of attack on my blog: http://scotthel.me Please feel free to share this information generously but do provide attribution back to my site. This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/

More Related