Open A Small Business

Introduction

Up until now all the main stream information about sniffing a switched network has told you that if you are host c trying to watch traffic between host a and b it's impossible because they are inside of different collision domains.

This document will teach you that it is possible due to flaws and security problems within TCP/IP.

We will be utilizing two programs one is called arpspoof and the other fragrouter.

TCP/IP Overview

Every host on the network must have a unique MAC address for them to communicate on an Ethernet LAN. The encapsulated IP packed can be transmitted to the host, once the destination's MAC address is determined. This hardware address is referred to as a MAC (Media Access Control) address. As most of you know TCP/IP utilizes ARP (Address Resolution Protocol) to convert IP addresses into hardware addresses.

Within Ethernet ARP there are four types of messages:

ARP request - A request for a destination hosts MAC address this is usually sent to all hosts in a broadcast domain.

ARP reply - This is a response to the ARP request and tells the hardware address of the destination host.

This requests the IP address of a known MAC address. RARP request - This is a Reverse ARP request.

RARP reply - This is a response to the RARP request and tells the IP address of the requested MAC address

The only time a ARP request is sent to the network is when a request for an IP address NOT in the hosts table is requested which occurs when a new host is requested or when the MAC entry on the table times out. All Ethernet hosts and switches keep a list of known MAC addresses and their corresponding IP address.

The only time a broadcast is sent to the entire network is when an ARP or RARP request is sent out, sniffing a switched network presents a problem because the switch knows which MACs are plugged into which ports. Sniffing traffic on network utilizing a hub is easy because all traffic is transmitted to each host on the network.

Since there is no way built into TCP/IP to verify which MACs are associated with which IP addresses but to ask or look it it's ARP table this opens TCP/IP up for exploitation.

So the goal of a malicious hacker would be to trick your system into updating it's ARP table so that data goes to the attacker instead.

But for the purpose of this document we will cover arpspoof from dsniff, there are many ways to do this.

Network Setup

We have a pretty basic network setup here 3 hosts connect by a switch.

HostA: 192.168.0.2 MAC: 00:08:74:95:65:11

HostB: 192.168.0.3 MAC: 00:08:74:46:EB:08

HostC: 192.168.0.4 MAC: 00:02:B3:A4:7F:8B

. . Etc, hostA could be a PC and HostB a Sun box, doesn't really matter HostA could be a Sun box and HostB could be it's default router, host B and Host C or something else. For the purpose of this document we are HostC a linux box.

On HostC will will download and install dsniff

Src: http://monkey.org/~dugsong/dsniff/

Pkg: http://www.rpmfind.net

On HostC we will also download and install fragrouter

http://www.securityfocus.com/tools/176

>> tar zxvf fragrouter-1.6.tar.gz

/configure >> .

>> make

>> make install

Running Fragrouter

We want the traffic to make it to the destination we just want to see it first, we just want to do normal IP forwarding. This app is very simple.

>> fragrouter -B1

Running ARPSPOOF

Of this document we will run arp spoof like this (again we want to watch traffic from host a to host b) The man page gives a completed explanation of how to use arpspoof.

>> arpspoof -t HostA HostB

Meaning we want to update HostA's ARP tables telling it that the MAC address of HostB is 00:02:B3:A4:7F:8B (which is you look above is the MAC address of HostC, target is the box that you want to spoof the arp tables on. The man page for arpspoof says that -t .

Frgrouter will just route the packets on to HostB.

Preventing Against This Type of Attack

Well there are a few ways to go about this.

-- BAD IDEA The problem with this is that every host will need to be updated if/when a network card gets replaced. 1) You can gather all the MAC information for every host on your network and feed that into a startup script using arp -p.

Which means Solaris keeps arp values in it's arp cache for 5 minutes. The default is 5 min. 2) Solaris - Change the default arp_cleanup_interval.

Ndd -set /dev/arp arp_cleanup_interval 6000

3) Arpwatch - This is one of the greatest tools for protecting your self against this type of attack.

You can download for linux from rpmfind.net and Solaris from sunfreware.com.

Example of logs:

Jun 23 10:22:02 hostA arpwatch: new station 192.168.0.5 00:02:B3:A4:7F:8B

Jun 23 10:22:02 hostA arpwatch: changed ethernet address 192.168.0.3 00:02:B3:A4:7F:8B

(00:08:74:46:EB:08)

You can easily setup scripts which monitor for this type of activity. The log on hostA which is running arpwatch show that hostB's (192.168.0.3) MAC address has changed to what we know is hostC.

In Summary

Once a box is compromised and used as a gateway in a network the entire network's security becomes open for exploitation. However this basic idea lays the way for SSH and SSL man-in-the-middle attacks, as you can tell this document provides a basis for arp spoofing.