【 Weak current College 】 ARP spoofing attacks principle and prevention tips

First of all, in accordance with the design of the ARP protocol, in order to reduce network on excessive ARP data communication, a host, even if the ARP reply is not received by their own request, it will insert it into your own ARP cache table, this will cause the "ARP Spoofing". If hackers want to listen to the same network between two hosts in communication (even via a switch), he will give the host sends an ARP reply packets, allowing two hosts are "error" view each other's MAC address is a third party host of the hacker is located, so that both sides seem to be "direct" traffic connection, are actually a host by hackers are indirectly. Hackers on the one hand, got the communication content, on the other hand, only need to change some information in the packet, and successfully do the forwarding job. In this way, hackers sniff the host is not required to set the network card in promiscuous mode, because the communication between the packet is a physically sent to a hacker's transit host.

Here, for example, suppose the same LAN, 3 Desk hosts are connected via a switch:

A host: 192.168.0.1 IP address, MAC address is 00: 01: 01: 01: 01: 01; B host: IP address 192.168.0.2, MAC address 02: 02: 02: 02: 02: 02; C host: IP address 192.168.0.3, MAC address is 03: 03: 03: 03: 03: 03.

B hosts on A and c are deceiving prelude is sending false ARP reply packets, while in receipt of B hosts the ARP reply, A host should know:

To 192.168.0.3 packets should be sent to the MAC address of the host; 020202020202 C host also know: to 192.168.0.1 packets should be sent to the MAC address of the host. 020202020202 In this way, the A and C are considered each other's MAC address is, in fact, this 020202020202 is B hosts the desired results. Of course, because the ARP cache table entry is updated dynamically with a dynamically generated map has a lifetime, usually two minutes if no new information update, ARP map entry is automatically removed. Therefore, B also has a "task"; in other words, we have been continually to A and c to send this kind of false ARP response package, let it remain in the ARP cache is poisoned the mapping table entries.

Now, if A and C to communicate effectively with each other to send packets will arrive first, then B host, if b does not do further processing, A and C communication will not function properly established, B would not reach the "sniffing" the purpose of the communication content, therefore, B to receive the "error" to a modification of the packet, and then forwarded to the correct destination, and modify the content, is the purpose of MAC and the source MAC address. So, in A and C, the packets sent each other is to go directly to each other, but in B, his play "third party" role. This sniffer method, also called "Man-In-The-Middle" method. As shown in the figure.

In the current use of attack instances ARP principle tools is very easy to use, these tools can sniff and analyze FTP, POP3, SMTP, SMB, HTTP/HTTPS, SSH, MSN, etc more than 30 kinds of application passwords and transfer content. Here are the tests use the Telnet tool capture, capture content includes TELNET password and all of the content:

Just above the data for a specific application, use the-middle attacker can monitor the data directly to SNIFFER, sniffer, so you can monitor all trick the user's data.

Also some people use ARP principle developed network management tools, ready to cut the connection to the specified user. These tools are going to the trouble to hand is extremely easy to make the network becomes unstable, usually these faults are difficult to troubleshoot