Posts Tagged ‘arp’

Secure your Network: How ARP Spoofing Works

Friday, March 6th, 2009

You wonder how hackers got to your packets? Might it have been arp spoofing?

ARP Basics
ARP is a layer 2 protocol, its full name is actually “Address Resolution Protocol”.
Like the name indicates, ARP is used to resolve the layer 3 IP addresses to layer 2 MAC addresses.

It works pretty easy, if a host on the segment wants to talk to another host, but does not know its MAC address it will send a frame to broadcast (FF:FF:FF:FF:FF:FF) where it will say “who has”, then the host on will see this request and reply with “ is at ab:cd:ef:ab:cd:ef” then the ARP table will be updated with the corresponding information, and the two hosts will talk directly from now on.

Security problems in ARP
Usually most hosts will update their ARP table when they see a ‘ is at’ ARP reply, even if it hasn’t requested it.
This keeps network traffic to the low, because the MAC address may be in the ARP table because some other host spoke to the server your computer wanted to talk to and your computer saw the ‘is at’ reply, hence making no need for an ARP request.

What if someone flooded your network with fake ARP replies ‘ is at fa:ke:ad:dr:es’?
Exactly, the hosts will update their ARP table and start sending packets to the wrong host.
The machine at ‘fa:ke:ad:dr:es’ can then accept all packets and forward the correct ones to the actual gateway (because the attacker does not poison its own arp table, the attacker will still be sending packets to the real IP address).

Imagine on a Wireless network how easy it is to become ‘attached’ to the network, they can also send spoofed ARP replies.

dsniff includes tools to arp spoof
ettercap is capable of doing arp poisoning too.
The package ‘arpalert’ on Ubuntu can notify you of changes in the ARP table.

To enable forwarding of packets in linux:

linux:~# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding

Using Tcpdump in Linux to Analyze Network Traffic

Wednesday, February 25th, 2009

Have you ever needed to see traffic in front of your eyes? There exists a tool in linux to do this. You can see it all, even .. passwords.

I will just give you the commands to see different types of traffic, use it for what you want.
You will not see network traffic going between other devices on the network, only to your workstation – assuming you are on a switched network, on a WLAN things are different.
If you want to monitor a network port, you can use a ‘mirror port’ in Cisco, configuration is as follows:

monitor session 1 source interface fastethernet 0/1
monitor session 1 destination interface fastethernet 0/2 encap ingress vlan 1

This will mirror all network traffic on FastEthernet 0/1 to FastEthernet 0/2.
There also exists methods for injecting ARP to a switched network to make network devices believe you are the gateway, so that you can inspect the packets before passing them on to the gateway.

Tcpdump commands
So back to tcpdump, to look at for example web traffic
Always remember that if you want to see the traffic as ASCII, just apply the argument ‘-A’ to tcpdump

I am assuming you are using eth0, -n turns off DNS.

tcpdump -i eth0 -n port 80

Now a little more fancy, using egrep – this will show all your web requests in real time!

tcpdump -i eth0 -A -n port 80 | egrep -i \(GET.\/\|POST.\/\|Host:\)

Did you know you can tcpdump for a subnet by just excluding the last octet?

tcpdump -i eth0 -n port 80 and host 10.0.5

You can see I used ‘and’ here to specify more filter, you can also use or
For example port 80 or port 81

If you forgot your pop3 password, but have it stored in the client

tcpdump -i eth0 -n port 110 -A | egrep -i \(user\|pass\)

This also applies to passwords for the web, I have used this a lot instead of the ‘forgot password’ mechanism.

If I forgot to mention anything, please let me know.

Locating the Cisco Switchport of a Server based on IP Address

Thursday, October 23rd, 2008

Locating computers or servers is a task I often do, and this is a tutorial on how I do it.

I have mentioned the do command, and mentioned it again in my 5 Magic Cisco Tips and Tricks article.

I am now going to give you more of a tutorial!

Locating a machine on switch port in a larger Cisco network
If you only have the IP address, just run this command:

show ip route *ipaddress*

The router will now tell you which interface this subnet is connected to.

In a usual setting you might have routed a larger block of addresses to for example a routing switch.
If this is the case, you will need to investigate layer 3 further down to that switch/router.

When you have found the IP address as directly connected issue this command to look up the MAC address in the ARP table.

show ip arp | include *ipaddress*

This will output the MAC address for this IP address, you can use this with this command:

show mac address-table | include *macaddress*

You will now see which port this hardware address is connected to.

In case you have a switch connected, you will need do the show mac address-table command on that switch also.

You can often identify switches by doing a show mac address-table interface *port*
If this gives a long list of MAC addresses with the TYPE dynamic, this is probably a switch.

Whiping out the ARP cache

Thursday, September 4th, 2008

Sometimes when you are changing out equipment it takes a long time until the new equipment will reply on ICMP. This is often because the layer 3 / 2 mapping information (arp) is old. The result of this is that the frames will have the wrong destination MAC address, and never even receive the frames.
To clear out an IP address from the ARP cache just issue:

clear ip arp <ip address>

This will cause the IP address / MAC mapping to get booted from the device, and it will then do the process of relearning it.