8/7/12

ARP redirect attack (for computer enthusiasts).

ARP redirect is attack that allows hacker to change flow of network packets so that they pass through selected computer (or other network device) where they can be sniffed and/or modified.

Two internet devices can communicate only if they know their physical MAC addressess.

ARP protocol 'hides' physical addresses and lets application layer processes to work with IP addressess.

How IP address is resolved into physical address? It uses either ARP table or 'ARP query packet' that is sent to the internet device along with an indication that the internet device should send the packet to MAC broadcast address, namely FF-FF-FF-FF-FF-FF. The internet device encapsulates the ARP packet in link layer frame, uses the broadcast address for the frame's destination address, and transmits the frame into the subnet. ARP query is equivalent to a person shouting into crowded room out asking for someone address. The frame containing the ARP query is received by all other internet devices on the subnet, each internet device passes the ARP packet within the frame up to an ARP module in that node (internet device).

Trick is to insert intermediate node between two communicating nodes.

Each internet device sends message with it's IP and MAC addressess when it connects to network, so gateway knows knows where to direct packets. Hacker wanting to capture connection needs to 'convince' internet device that he's gateway, and gateway that he's internet device.

To implement this attack hacker can use following tools:

1. Libnet library.
2. Nemesis - tool that can be used to generate network layer, transport layer, link layer packets and inject them into internet.

To learn IP addressess of devices available in network, nmap tool can be used.


See also: Link Layer Addressing (MAC addresses).

1 comment:

  1. After redirecting, packets can be 'sniffed' (read) with tcpdump command.


    For example: to print packets coming from wireless lan on screen, if our host has ip address 192.168.1.100, type:

    sudo tcpdump -A host 192.168.1.100 -i wlan0


    to save packets to file, add:

    -w log.out

    (it's linux command, other operating systems might have different commands)

    ReplyDelete