Network Security Learning (XV) ARP

Broadcasting and broadcasting domain

One broadcast ： Data frame with broadcast address as destination address
I. broadcast domain ： A collection of all nodes that can receive the same broadcast in the network

MAC Address broadcast

— The address is FF-FF-FF-FF-FF-FF

IP Address broadcast

1.255.255.255.255
2. radio broadcast IP The address is IP Address the broadcast address of the network segment , Such as 192.168.1.255/24

The smaller the broadcast area, the better

ARP Overview of the agreement

What is? ARP agreement

        Address Resolution Protocol, Address resolution protocol
         Put a known IP Address resolution into MAC Address

The process

Same as segment

The sender sends ARP Broadcast message request target MAC Address , The receiving end will reply after receiving

Different segments

The sender sends ARP Broadcast message request gateway MAC Address , The router replies after receiving , Then send the package to the target

ARP Message content ：

I am a 10.1.1.1 my mac:AA
Who is the 10.1.1.3 Yours mac:?

ARP cache

The main purpose is to avoid repeated sending ARP request

ARP command

arp -a                see ARP Cache table

arp -d                 eliminate ARP cache

arp  -s                ARP binding

ARP attack

By sending fake ARP message （ Broadcast or unicast ） To achieve an attack or deception

Such as false message mac It's fake, it doesn't exist , Realization ARP Attack
blow , The result is a loss of communication / Broken net
Such as false message mac It's the attacker's own mac Address , Realization
ARP cheating , As a result, you can monitor 、 steal 、 Tampering 、 Control flow
But without interrupting communication ！

ARP The protocol has no verification mechanism

  The switch did not mac Address

How routers work

1) A frame arrival route , The router first checks the target MAC Whether the address is yourself , If not, discard , If so, unpack , And will IP The packet is sent to the inside of the router .
2) Router check IP The goal in Baotou IP, And match the routing table , If the match fails , Then discard , And to the source IP Feedback error messages ,
If the match is successful , Will IP Packets are routed to the outgoing interface .                                                                                              3) Encapsulation frame , First, the of the interface MAC Address as source MAC Package it , Then check that the ARP Cache table , Check if there is a next jump MAC Address , if there be , Extract and target MAC The address is encapsulated in the frame , If not , Then send ARP Broadcast request for next hop MAC, And get each other's mac Address , Then record the cache , And encapsulate the frame, and finally send the frame

ARP Attack defense ：

1. static state ARP binding
Manual binding / Two way binding
windows On the client ：
arp-s  10.1.1.254  00-01-2c-a0-e1-09
arp -a                            see ARP Cache table

2.ARP A firewall
Automatically bind static data ARP
Active defense

3. Enterprise switch defense                                                                                                                               The switch supports ports to be dynamically connected ARP binding （ coordination DHCP The server ）

Or do static ARP binding

example

kali attack win10

kali install arpspoof

kali linux The system is based on debian linux System , It's using deb Package management , have access to apt Install directly from the source

1、 Configuration source

2、 Installation tools

dsniff Tools

apt-get install dsniff        

arp attack

eth0: Choose a network card

The latter two ip The addresses are the attacked host ip And gateway

arp Man-in-the-middle attack

kali Command line input

echo 1 >> /proc/sys/net/ipv4/ip_forward
You can use tools driftnet, The installation method is the same as above

driftnet -i eth0        Capture the image obtained by the attacked host