Here - Scott Helme
Download
Report
Transcript Here - Scott Helme
ARP Cache Poisoning
How the outdated Address Resolution Protocol can be easily abused to carry out a
Man In The Middle attack across an entire network.
Scott Helme - 6th Aug 2013 - scotthel.me
Introduction
The Address Resolution Protocol (ARP) facilitates communications on a Local Area Network
(LAN).
It does this by providing a means for clients to resolve a Layer 3 Internet Protocol (IP) Address
(192.168.1.5) to a Layer 2 Hardware Address (af:23:b4:7d:f5:c9) or Media Access Control
(MAC) address.
The ARP protocol employs no form of security or authentication and is a simple request and
reply protocol.
Example
For Scott to send packets to Dave over the
LAN he needs to know Dave’s MAC address.
Scott
Dave
ARP Request
Who is 192.168.0.6, FF:FF:FF:FF:FF:FF?
I’m Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
ARP Response
192.168.0.5
A3:DD:B4:12:3A:4F
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, B7:C2:11:F2:BB:E6.
192.168.0.6
B7:C2:11:F2:BB:E6
Example
Scott was able to send the ARP request to Dave without knowing
his MAC address by using the broadcast address FF:FF:FF:FF:FF:FF.
Scott
A packet with the broadcast address as the destination is delivered
to every client on the current LAN segment, ensuring Dave will
receive it. Once we have Dave’s MAC address, we can send packets
to him instead of everyone on the network.
ARP Request
192.168.0.5
A3:DD:B4:12:3A:4F
Who is 192.168.0.6, FF:FF:FF:FF:FF:FF?
I’m Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
Example
Dave
When Dave received the ARP request, he identified it was for him
and responded to the request using the details in the initial request.
ARP Response
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, B7:C2:11:F2:BB:E6.
192.168.0.6
B7:C2:11:F2:BB:E6
Example
Scott
Dave
Now Scott and Dave have exchanged details they
can communicate with each other directly. They
both store a record in their ARP Cache of the
other clients IP and MAC address so they can
perform a lookup later if needed. This prevents
the need for subsequent ARP requests and
reduces network traffic.
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
The Problem
Scott
Dave
During the ARP request/response exchange
neither client took any steps to verify the identity
of the responding client, or the authenticity of the
response sent. This presents an opportunity for a
3rd party to impersonate clients on the network.
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
Attacker
192.168.0.7
C4:D3:46:B1:EE:BA
The Problem
ARP Requests are sent to all
clients on the network as they
use the broadcast MAC address
FF:FF:FF:FF:FF:FF.
Scott
Dave
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
Attacker
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, C4:D3:46:B1:EE:BA.
192.168.0.7
C4:D3:46:B1:EE:BA
The Problem
ARP Responses are not verified
and if any client receives a new
response they will update their
ARP cache assuming the sender
has changed their MAC or IP
address.
Scott
Dave
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
Attacker
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, C4:D3:46:B1:EE:BA.
The Problem
Scott
As long as the attacker regularly sends
the forged response to the target
(Scott), they will continue to send
traffic to the wrong location. If the
Attacker then resends the traffic to the
correct destination there is no
interruption on the LAN and Dave is
not aware the Attacker can view his
traffic.
Dave
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
192.168.0.7
C4:D3:46:B1:EE:BA
Attacker
To Dave,
192.168.0.6,
C4:D3:46:B1:EE:BA.
The password is “SuperSecret1234”.
From Scott,
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.7
C4:D3:46:B1:EE:BA
Scott
The Problem
To Dave,
192.168.0.6,
B7:C2:11:F2:BB:E6.
The password is “SuperSecret1234”.
From Scott,
192.168.0.5
A3:DD:B4:12:3A:4F
Dave
This is a successful implementation
of a MITM attack and allows the
attacker to view all traffic sent by
Scott to Dave.
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
Client
Client
The Scope
Attacker
At this point, the attacker can choose which
targets on the network he wants to MITM
and impersonate them using forged ARP
packets to poison their ARP Cache.
Client
192.168.0.7
C4:D3:46:B1:EE:BA
Client
Client
A gratuitous ARP can be sent by a client at any
point, usually when their IP address or MAC
address has changed for some reason. This
allows other clients to update their ARP cache
and maintain current records. An attacker can
send out a forged gratuitous ARP without
needing to wait for an ARP request from a
target on the network.
Attacker
The Bigger Problem
Broadcast
Default Gateway
To Everyone!
Here are my updated details!
192.168.0.1
C4:D3:46:B1:EE:BA
192.168.0.7
C4:D3:46:B1:EE:BA
The attacker has just told all clients on the
network that he is the default gateway!
192.168.0.1
D7:AD:F1:C3:A4:D9
Client
The Bigger Problem
Client
Default Gateway
Client
Attacker
Client
Client
Client
192.168.0.7
C4:D3:46:B1:EE:BA
192.168.0.1
D7:AD:F1:C3:A4:D9
Here the attacker can monitor all Internet traffic on the LAN that isn’t being
sent using TLS. He could also simply not forward on the traffic and bring the
entire network down as no clients would be able to communicate at all. This is
known as a Denial of Service (DoS) attack.
Mitigation
• There is no replacement for ARP on a LAN so ARP Cache Poisoning is a
difficult threat to defend against.
• You can create static ARP entries on client machines for important
things like the default gateway. The only problem is if the IP or MAC
genuinely changes no client will listen to the new details and depend
upon the incorrect static entries which now need to be updated.
• ARP Cache Poisoning actually has genuine advantageous uses. If a web
server on your LAN went down, you could invisibly direct all clients to a
backup server without needing to alter any configurations. Simply
broadcast a forged ARP packet with the MAC address for the new
server.
• You can employ monitoring software to listen and try to detect forged
ARP packets. They are easy to spot by maintaining a historic record of
ARP broadcasts and looking for an ARP packet with the same IP
address but a different MAC address to one previously reported.
Conclusion
Whilst you could statically assign all ARP entries on the network this is not a
realistic solution and near impossible to maintain on large networks.
Detection software can let you know when someone is attempting to ARP
poison clients on your network and event attempt to mitigate it but this is
still a reactive measure and not a form of prevention. ARP Cache Poisoning
presents a serious threat over a LAN (this includes WiFi) which stems from
an inherent lack of security in the protocol itself. The easiest way to protect
your Internet traffic whilst using a network that may contain malicious
clients is to use sites protected with TLS. As TLS offers end to end encryption
the attacker would only be able to view the encrypted version of your traffic
and as such it is useless to them. There are of course other options like using
a Virtual Private Network (VPN), which will be covered in a later
presentation, but require considerable cost and maintenance.
Thanks
You can find more info covering this and other forms of attack on my blog:
http://scotthel.me
Please feel free to share this information generously but do provide attribution
back to my site.
This work is licensed under the Creative Commons Attribution 3.0
Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by/3.0/