niko
Jul 16 2004, 07:27 PM
Just a short paper I wrote with some small ideas on some different ways (than traditional)
to redirect switched traffic so you can sniff it.
ARP
Address Resolution Protocol, is the protocol by which a PC can figure out the hardware
address (the MAC address) that maps to a specific IP address. For example, when you wish to
talk to another computer using it's IP, your computer will send out an ARP request. This ARP
request is a broadcast request, it goes to every machine on the current network switch.
The ARP request basically says, "hey, who's the owner of this IP address?". The target computer
then responds with and ARP Reply, which contains it's hardware address, so now the two computers
can communicate on the physical (ethernet) layer.
ARP Poisoning.
Let's say I want to use a packet sniffer to sniff what Sally is doing on her computer over on
the other side of my cubicle. Normally, on a non-switched network, such as a small hub network,
the hub simply repeats each packet on the network, to every single port on the hub. In other words,
the packet gets repeated to every single computer on the hub. This makes it easy to sniff traffic
because you can put your card in promiscious mode (where the card sees all packets, and not just
it's own) and now you see all traffic going by, including traffic from Sally's computer. However,
all this traffic also slows down the network, as each machine fights for its chance to transmit
network data. The solution to both of these problems (privacy and network speed) is a switched
network.
A switched network uses a device called a switch to watch traffic, and basically only
allow traffic to your machine, which is destined for your machine. In other words, it watches the
hardware address of each packet (the MAC) to see which machine it belongs to. The switch knows
which machines are what because as ARP requests come in, it remembers the MAC address of each
computer connected to one of its physical ports.
THis creates a problem for us though, because we want to sniff Sally's data, and now none of it
comes past our computer because it doesn't get thru the switch to us. What can we do?
We have to somehow trick Sally's computer into thinking that WE are the switch, and then we can
get her packets first, and then forward them to the real switch after we've sniffed them (sound funny).
Why do we want to pretend to be the switch? Because in a switched network, the switch is usually
the default gateway of the computer. This means all outgoing packets will be sent to
the gateway to then be routed to their final destination. In this case, that's the switch! Sally's
computer got the default gateway from the DHCP server when she joined the network.
One way to do this is to poison the ARP cache on Sally's machine. Each computer, when it performs an
ARP request, caches the response for a time, to make the lookup faster next time and to reduce
network traffic. If we change this cache on the Sally's machine to make it think the IP of the switch
belongs to OUR computer's network adapter, her computer will forward all data to us first !
The traditional way to poison the cache is to flood the network with false ARP replies. Most computers
actually respond to these ARP replies, even if they didn't send an ARP request. So we send out a bunch
of fake ARP replies, with a forged IP address, which is the switch's IP address, and Sally's computer
picks them up and updates its ARP cache, which now will point to our sniffing machine.
However, there is one major big drawback to this: It causes a lot of network traffic, and it could
get noticed very easily. Most IDS's nowadays, as well as switches, can watch for this ARP traffic
and alert someone when something looks suspicious. What can we do instead?
A "manual" attack instead
Well, we could change Sally's ARP cache entries locally on her system instead. To do this we could use
a trojan or an IE exploit or any other type of exploit that gives us remote access to her machine.
The beauty of this is it creates no network traffic, and doesn't alert an IDS. Of course, if we choose
to use some public available method, she might have an AV (AntiVirus) which would detect it. But we
aren't that lame are we? Surely we can write our own exploit. Heck, even a Macro virus could be set
up to do this.
So what do we need to do? Well, on windows systems you can view the current ARP cache with the "arp"
command:
| CODE |
C:\>arp
Displays and modifies the IP-to-Physical address translation tables used by
address resolution protocol (ARP).
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr]
-a Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If
more than one network interface uses ARP, entries for each ARP
table are displayed.
-g Same as -a.
inet_addr Specifies an internet address.
-N if_addr Displays the ARP entries for the network interface specified
by if_addr.
-d Deletes the host specified by inet_addr. inet_addr may be
wildcarded with * to delete all hosts.
-s Adds the host and associates the Internet address inet_addr
with the Physical address eth_addr. The Physical address is
given as 6 hexadecimal bytes separated by hyphens. The entry
is permanent.
eth_addr Specifies a physical address.
if_addr If present, this specifies the Internet address of the
interface whose address translation table should be modified.
If not present, the first applicable interface will be used.
Example:
> arp -s 157.55.85.212 00-aa-00-62-c6-09 .... Adds a static entry.
> arp -a .... Displays the arp table.
C:\>
|
So if we do an "arp -a" we can view the current cache, and we can add arp entries
ourselves with "arp -s <IP> <MAC>". We can also delete entries with "arp -d".
Here's a shot of my current arp cache on my system:
| CODE |
C:\>arp -a
Interface: 10.209.36.134 --- 0x2
Internet Address Physical Address Type
10.209.36.129 00-01-30-2a-b4-00 dynamic
C:\>
|
The thing to notice is this IP is my current default gateway, the network switch. So what we are
seeing is the MAC address of the network switch. This is the MAC I want to override in the ARP
table, so I can sniff traffic on another computer ! So the first thing we want to do is delete this
entry:
| CODE |
C:\>arp -d *
C:\>arp -a
No ARP Entries Found
C:\>
|
We use the "*" to delete all entries, which is ok because when the user goes to access another
computer again, it will simply send out another ARP request anyway. BUT we DON'T want this to
happen! We want to override the ARP entry for that default gateway. Since we aren't changing
the default gateway's IP (Sally's computer got that from DHCP), we need to change the MAC address
to the MAC of the computer that will do the sniffing.
To get that MAC we can just access the sniffing computer in some way, by pinging it or opening a
file share. After we do that, our ARP table will contain an entry for that computer.
Here's my MAC from my sniffing computer:
| CODE |
C:\>ping 10.209.36.149
Pinging 10.209.36.149 with 32 bytes of data:
Reply from 10.209.36.149: bytes=32 time<1ms TTL=128
Reply from 10.209.36.149: bytes=32 time<1ms TTL=128
Reply from 10.209.36.149: bytes=32 time<1ms TTL=128
Reply from 10.209.36.149: bytes=32 time<1ms TTL=128
Ping statistics for 10.209.36.149:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>arp -a
Interface: 10.209.36.134 --- 0x2
Internet Address Physical Address Type
10.209.36.149 00-e0-29-57-07-2d dynamic
C:\>
|
Write down that Physical Address, and now we can override ! Remember we can use "arp -s" to add
a static ARP entry, so let's add an entry for the default gateway's IP, but using OUR sniffing
system's MAC address !
| CODE |
C:\>arp -d *
C:\>arp -a
No ARP Entries Found
C:\>arp -s 10.209.36.129 00-e0-29-57-07-2d
C:\>arp -a
Interface: 10.209.36.134 --- 0x2
Internet Address Physical Address Type
10.209.36.129 00-e0-29-57-07-2d static
C:\>
|
Now we are set! All packets destined for the default gateway on the computer will now be sent to the
physical address on our sniffing system. Our sniffing system will be listening in promiscious mode,
and forwarding the packets to the switch. Notice also that this entry is Static - it's
permanent!So, we can see how to do this manually, but how do we get it on Sally's computer? Like I said before,
we can use a trojan type attack vector, or any other type of attack vector that will allow us to
execute some code on her machine. Heck, we could even put a small program on a CD and put it in the
drive and let autorun do our work for us, and walk away. The program simply does the simple commands
to delete the ARP cache, and put in the fake default gateway entry. Then we can watch her traffic.
Just make sure you come up with a way to undo the entry, cause if your sniffing computer goes down,
her internet goes down, and that means she'll alert IT and they'll investigate..and you know they will
find u..
-niko
jockel
Jul 17 2004, 03:41 PM
really a nice read..
a few months ago i didn't know much about arp and all the possibilities that come with it ...
but as more as i learn / read about it the more interesting it gets =)
also check out this article on networknewz.com
http://www.networknewz.com/networknewz-10-...gandBeyond.html(posted it allready somewhere else ... )
have phun
cornstalk
Jul 17 2004, 05:49 PM
Nice paper, thanks!
The commands are the same on Unix[-like] systems (tried it on NetBSD), but you need root access to delete and set entries.
So that's gonna be a problem, because it's much harder to become root on a Unix machine than getting admin privileges on a Windows system (most users are admins anyway).
Terminal
Jul 17 2004, 07:43 PM
arp -a
arp -s and arp -d
are same for all platforms it wirks in linux win98 win2k winxp .
In win 98 u cant use wildcards *
like arp -d *
IamSam
Jul 23 2004, 11:51 PM
This article was very interrestin !
Moreover, this seems to be a very efficient way to sniff data on networks
So thank you so much for this one niko !
