An ethernet switch table containing ip-to-mac address mappings is known as:

ARP

ARP is responsible for resolving the logical IP address into the hardware address for the network layer. (Note that an ARP packet is not an IP packet, and works below that layer.) If the destination IP address is on the same subnet as the source host, then IP will use ARP to determine the hardware address of the destination host. If the destination IP address is on a remote subnet, then ARP will be used to determine the hardware address of the default gateway. The ARP cache, a table of translations between IP address and hardware, stores its entries dynamically and flushes them after a short period of time.

Security Alert!

Some attacks have been based upon gratuitous or forged ARP replies and redirecting IP traffic to a system that sniffs for cleartext passwords or other information. One such attack tool is available at www.monkey.org/~dugsong/dsniff/. This attack disables the benefit of a switched Ethernet environment because ARP requests are broadcast to all local network ports. The spoofing machine can respond with its hardware address and become a man-in-the-middle. Research is being conducted on a new ARP protocol that would be resistant to these types of attacks. However, it is best to assume that switches do not provide access control, and avoid the use of cleartext passwords or other sensitive information.

ARP Flooding

ARP flooding is another ARP Cache Poisoning technique aimed at network switches. While not effective on all switches, some will drop into a hub-like mode when the CAM table is flooded. This occurs because the switch is too busy to enforce its port security features and broadcasts all network traffic to every computer in the network. This technique is particularly useful in MITM attacks, where the goal is to impersonate one of the hosts in a connection. In WinArpAttacker, conducting an ARP flood is as simple as clicking the checkboxes next to the host you wish to flood, clicking on the attack icon in the toolbar, and selecting the Flood option.

ARP

Address Resolution Protocol(ARP) is used to dynamically map layer-3 network addresses to data-link addresses. The ARP cache is vulnerable to ARP cache poisoning and ARP spoofing attacks. ARP cache poisoning involves the insertion of either a non-existent ARP address or an incorrect ARP address into a system's ARP cache. This results in a denial of service since the target system will send packets to the peer's IP address but the MAC address will be wrong.

ARP spoofing can be used by an attacker in order to attempt to compromise the system. ARP spoofing relies on disabling a host on the network so that it cannot reply to any ARP request broadcasts and then subsequently configuring the disabled host's IP address on the attacking host. When the host being attacked attempts to communicate with the disabled host the attacker's system responds to any ARP request broadcasts, thus inserting its MAC address in the attacked host's ARP cache. Communication between the two hosts can then proceed as usual. It is very tricky to protect a system against ARP attacks. A possible defense against ARP attacks is to reduce the lifetime of cache entries. The cache lifetime is determined in Solaris by the kernel parameter “arp_cleanup_interval.” The IP routing table entry lifetime is set by the kernel parameter “ip_ire_flush_interval”. These commands will be set as follows:

ndd -set /dev/arp arp_cleanup_interval

ndd -set /dev/ip ip_ire_flush_interval

In the ndd command, is added in milliseconds. Reducing the ARP cache timeout interval and the IP-routing table timeout interval can make it more difficult for the attacker slowing down their attack. Alternately, static ARP addresses should be created for secure trusted systems. Static ARP cache entries are permanent and therefore do not expire. These entries can be deleted using the command “arp –d”. This may be further enhanced in the event that only static ARP is necessary.

ARP Spoofing

The Address Resolution Protocol (ARP) maintains the ARP cache. This is a table that maps IP addresses to Media Access Control (MAC) or physical addresses of computers on the network. This cache is necessary because the MAC address is used at the physical level to locate the destination computer to which a message should be delivered. If there is no cache entry for a particular IP address, ARP sends a broadcast message to all the computers on the subnet, requesting that the machine with the IP address in question respond with its MAC address. This mapping then gets added to the ARP cache. ARP spoofing, also called ARP poisoning, is a method of sending forged replies which result in incorrect entries in the cache. This results in subsequent messages being sent to the wrong computer (the machine whose MAC address is incorrectly matched with the IP address). Once again, this process has been automated b hacker tools such as ARPoison and Parasite have automated this process.

Example ARP Operation

What the ARP process adds to TCP/IP is a mechanism for a source device to ask, “Who has IP address 10.10.12.52 (this was our first example from the Illustrated Network) and what is the physical (hardware) address associated with it?”

ARP messages are broadcast frames sent to all stations. The proper destination IP layer realizes that the destination IP address in the packet matches its own and replies directly to the sender. The target device replies by simply reversing the source and destination IP address in the ARP packet. The target also uses its own hardware address as the source address in the frame and message.

The ARP process is shown in Figure 6.6. The steps are numbered and taken from the example earlier in this chapter, where lnxclient ARPs to find the MAC address of winsvr2.

The system lnxclient (10.10.12.166) assembles an ARP request and sends it as a broadcast frame on the LAN. Because it is unknown, the requested MAC address field in the ARP message uses all zeros (0s), which are placeholders.

All devices attached to the LAN receive and process the broadcast, even the router CE6. But only the device with the target’s IP address in the ARP message (winsvr2 at 10.10.12.52) replies to the ARP. The target also caches the MAC address associated with 10.10.12.166 (the source address in the broadcast frame).

The target system winsvr2 sends a unicast ARP reply message back to lnxclient. The reply has the MAC address requested both in the frame (as a source address) and in the ARP message field sent as 0s.

The originating source system and the target system will cache the hardware address of the destination and proceed to send “live” IP packets with the information, at the same time supplying the proper frame address as a parameter to the network access layer software.

Figure 6.7 shows how the ARP request and reply message shown at the beginning of this chapter look like “on the wire.” The field values can be compared to the ARP message format shown in Figure 6.5. Again, the lnxclient to winsrv2 ARP pair are used as the example. Trailing zeros are not shown.

ARP operation is completely transparent to the user. ARP operation is usually triggered when a user runs some TCP/IP application, such as FTP, and the frame’s destination MAC address is not in the ARP cache.

Address Resolution Protocol Cache Poisoning

This first scenario describes the classic attack method of using Address Resolution Protocol (ARP) cache poisoning to inject an attacker in-between a user and the default gateway (router) to intercept and read data as it traverses the network. Before moving into the scenario, a quick refresher in ARP may help with your understanding of how this scenario is possible.

ARP (RFC 826B) is used in networks today to provide mapping of Open Systems Interconnection Reference Model (OSI) Layer 3 (Network) addresses to Layer 2 (Data Link) hardware addresses. Details and a good overview of the OSI model can be found at Cisco's Web site,C as well as in Chapter 5, “Spanning Tree Protocol.” This mapping allows logical addresses, such as Internet Protocol (IP) addresses, to be associated with a physical hardware device such as a network interface card. Figure 6.2 provides an example of what an ARP table looks like when using the arp –a command from the Windows command prompt. Several different types of network implementations including Ethernet, Fast Ethernet, Fiber Distributed Data Interface, and wireless utilize ARP.

The following explanation assumes we are on a network using TCP/IP as the primary networking protocols. Communication using ARP is facilitated by the exchange of messages between hardware devices using ARP messages. The messages we are primarily concerned with are the ARP request and ARP reply. When requesting the hardware address of another system on the network, an ARP request is sent to the network broadcast address and includes the IP address and hardware address of the requestor and the IP address of the target system. Once a system receives the ARP request, it will check the local ARP table to see if it is the owner of the IP address broadcast in the original request. If the system does have an entry in its ARP table indicating it does own the IP address, an ARP reply is sent directly to the system that made the original request. The computer that made the original request will then add the hardware address to its ARP table for future use. A high-level overview of this operation is depicted in Figure 6.3.

The entire process of sending responses and receiving replies takes only seconds to complete in most cases, and this type of interaction is implemented on a variety of systems. ARP is used not only on computers but also on switches, routers, printers, wireless-enabled cell phones, and many other types of equipment.

Now that our refresher on ARP is complete, let's focus on a MITM attack using a technique referred to as ARP cache poisoning. The attacker wishes to perform a MITM attack in an effort to gain access to valid credentials that could allow him or her to interact with other network services. With the understanding of how ARP works and the availability of several common MITM tools, this attack is fairly easy to perform.

Several tools for performing ARP cache poisoning attacks are freely available via the Internet, and usage of the tools is usually well documented. The tool our attacker chooses for this scenario is Ettercap.D (See Chapter 7, “Password Replay” for an example of ARP poisoning using a different tool, Cain & Abel.) Some of the interesting features of this tool include host discovery, target selection interface, capability of performing several types of MITM attacks, sniffing, and a variety of plug-ins to use during attacks. The tool is also capable of being run on a several different computing platforms, and users have a choice of running the tool in a graphical user interface, ncurses,E or text-based environment.

Tip

The last paragraph explained the availability of tools and how well documented they are based on their popularity and developer documentation. Popular sites such as YouTubeF allow people to create videos that will walk you through the common usage for many of the tools used for penetration testing and hacking. This is far from the days of reading text files and communicating on Bulletin Board Systems as a means of learning how to use and exchange tools. The learning curve today is significantly reduced for those getting started in security research and exploitation. Take a quick break, visit YouTube (or any other similar site), and search for “ettercap MITM.” Also try searching for some of the tools or concepts we have discussed in this book.

The attacker in this scenario, Michael, works as a design engineer for a large company in the sleepy town of Seguin, Texas. The company sells and distributes a large product line of aftermarket motorcycle parts for those motorcycle enthusiasts who wish to add a little personality to their motorcycles. Recently, Michael was in an accident and had some extensive damage done to his personal motorcycle (although Michael was okay). It turns out the motorcycle was deemed a total loss by his insurance company and Michael ended up purchasing a new motorcycle. One thing that Michael dearly missed was his shiny and loud tailpipes; you could hear them coming from a mile away, and the tailpipes were the envy of everyone.

Being a team player, Michael decides to order replacement tailpipes for his new motorcycle from the company he works for so he can get back to cruising in style. However, he discovers the company has discontinued the model tailpipes he used to have and will not bring them back into production. This obviously makes Michael angry, and he decides to take some action to show the company what happens when they disrespect loyal employees and customers.

Since Michael has internal access to the network, he decides to use a MITM attack, so he can steal someone else's credentials to do some damage. Michael does this to reduce the likelihood the forthcoming attack will be traced back to him. Michael decides to use Ettercap to perform a MITM attack against Chip, the company Web and database developer. Michael first scans the local network to obtain a list of IP addresses and host names on the network and is able to identify a Windows XP computer named webdev with an IP address of 192.168.204.139. The name of this computer sounds like it would be the one a Web developer may use so he takes note of the IP address and moves down his scan list. Michael also notices a Windows Server 2008 system named corpweb with an IP address of 192.168.204.131.

In an ARP cache poisoning attack, the attacker identifies two systems he wants to attack and then places himself in the middle of the communication stream. This is accomplished by using a tool such as Ettercap send false information to modify the ARP cache on the two target systems. The tool will send ARP packets to poison the ARP cache on the Windows 2008 Server indicating the MAC address of Chip's workstation is that of the attacker's computer. At the same time, ARP packets will be sent to poison the ARP cache on Chip's Windows XP computer to notify it the MAC address of the Windows 2008 Server is now that of the attacker's computer. Once the ARP cache poison completes, both of the victim systems will unknowingly route traffic intended for each other through the attacker computer. During this exchange of data, the Windows 2008 Server and the Windows XP computers both believe they are still directly communicating with each other.

Using Ettercap, the attacker is able to select the two systems identified previously and start an ARP cache poisoning attack against these systems. Upon successfully injecting himself or herself between Chip's computer and Web server, the attacker can sniff the traffic as it traverses his or her computer. Tools such as Ettercap have built-in filters to notify the attacker when credentials for specific protocols are sniffed during the attack. Figure 6.4 displays an active MITM attack as described in the scenario. It appears Michael was able to capture a File Transfer Protocol (FTP) login session originating from Chip's computer and authenticating to the Web server.

Since Michael knows that Chip is the company Web developer, there is a good chance that these credentials are used to upload Web site content and for routine access to the Web server and Web site files. Michael uses the login credentials against the FTP server and discovers not only that the credentials are valid but they place him in the root directory of the company Web site. With this type of access, Michael can possibly delete all the content, replace legitimate files, and browse for other credentials or important information on the server. Michael decides to upload an updated version of the main page of the Web site that reads “This week only, all parts are 50 percent off normal price!”

Obviously, the great deal on motorcycle parts being advertised on the Web site spreads fast and causes an increase in sales calls. After being tipped off by a customer that it is “great you're selling everything at half-off,” the sales department goes into a panic. Selling most parts at 50 percent off normal price is costing the company money. What is a company to do? Honor the advertised special? Tell the customers there was a glitch and there is no sale? Tell the customers the site got hacked? You can draw your own conclusions, but the point is that a very simple attack can cause a company many messes to clean up.

Losing customer loyalty and tarnishing a good reputation can cause many companies to experience reduced revenue. In some cases, it can impact the company in such a way that it forces the company to reduce staff or even close their doors. Although this scenario was primarily about the execution of a MITM attack, any attacks with significant enough magnitude can really hurt the company overall.

Experimental Preprocessors

arpspoof detects ARP spoofing attacks by checking ARP responses against a static table of ARP-to-IP addresses.

asn1_decode detects abuses of the ASN.1 protocol, used by SSL, SNMP, and X.509.

fnord detects polymorphic shellcode by looking for shellcode programmatically, instead of via straight pattern matches.

perfmonitor outputs performance statistics for Snort, but has no goal of consistency of output over its development cycle.

portscan2 is the successor to portscan, but is not yet in Enterprise-ready condition. This preprocessor is the sole user of the conversation preprocessor.

Address Resolution Protocol

The address resolution protocol (ARP) is a simple protocol used in wired LANs to provide information about other connected nodes. As mentioned in Chapter 5, ARP is one of the protocol payloads an Ethernet frame can carry (others are IP, and RARP, the reverse address resolution protocol). ARP is a simple query–response packet protocol used to match workstations hardware addresses to IP addresses. In other words, ARP is the protocol used to identify nodes in a LAN. ARP is described in RFC 826.

In a typical LAN, computers need to spend part of their time probing each other. That is, sending short packets too see who else is around the locality. Each computer builds up a table of neighbour active nodes, which is maintained dynamically as nodes are connected or switched off. The table contains mappings of IP versus hardware MAC addresses, this is necessary because a message arriving for transmission from a higher layer may only contain a destination IP address, which must be mapped to a physical hardware destination. Before sending a message to another station in a local network, a computer will consult its own table. If there is no MAC address entry for the wanted IP address, an ARP query broadcast message is sent out, and a wait for a reply will be initiated. The table is dynamically maintained, flushed and refreshed every few minutes.

ARP makes use of the special MAC ‘broadcast’ destination address (FFFFFFFFFFFFhex), which is accepted by all Ethernet stations on the network. The broadcast message says, ‘Hey out there, anybody with IP address 190.168.0.15?’ The one and only node having this IP address allocated will reply with a frame containing its own hardware MAC address.

You can see this in action if you have a Windows PC computer. Open an MS-DOS box from the desktop, and enter ‘C:>arp -a’. This will display the current IP/MAC address directory pairs for all the local machines in your network. You may see nothing, especially if there was no recent network activity (remember the tables are dynamic and flushed every few minutes). Next, enter ‘C:>ping 192.168.0.15’ (or the address of any other known station in your network), and wait to see any replies. Then try ‘C:>arp -a’ again. Assuming you had a ping reply from another node, the screen will show the mappings. Any embedded Ethernet controller must include some form of ARP reply processing in order to respond to ARP ‘who are you?’ requests from other nodes on the network. The controller will also need to be able to query other nodes in the network for their MAC addresses (ARP requests).

What is IP to MAC address mapping?

Which table maps a destination MAC address to a port within a switch?

What is a MAC address table in switch?

What is an ARP table also known as?