ARP spoofing is a method of exploiting the interaction of IP and Ethernet protocols. It is only applicable to Ethernet networks running IP.
A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the network card,called the MAC address. The MAC, in theory, is a globally unique and unchangeable address which is stored on thenetwork card itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth,independent of whatever application protocols are used on top of it. Ethernet builds “frames” of data, consistingof 1500 byte blocks. Each frame has an ethernet header, containing the MAC address of the source and thedestination computer.
When an Ethernet frame is constructed, it must be built from an IP packet. However, at the time ofconstruction, Ethernet has no idea what the MAC address of the destination machine is, which it needs to createan Ethernet header. The only information it has available is the destination IP from the packet’s header. Theremust be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destinationIP.This is where ARP, the Address Resolution Protocol, comes in.
ARP operates by sending out “ARP request” packets. An ARP request asks the question, “Is your IPaddress x.x.x.x? If so, send your MAC back to me.” These packets are broadcast to all computers on the LAN,even on a switched network. Each computer examines the ARP request, checks if it is currently assigned thespecified IP, and sends an ARP reply containing its MAC address.To minimize the number of ARP packets being broadcast, operating systems keep a cache of ARP replies.When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.
ARP spoofing involves constructing forged ARP request and reply packets. By sending forged ARP replies,a target computer could be convinced to send frames destined for Attacker to instead go to computer A. Whendone properly, Attacker will have no idea that this redirection took place. The process of updating a targetcomputer’s ARP cache with a forged entry is referred to as “ARP poisoning”.
by ARP Spoofing, Attacker can do two type of another attacks: 1.Sniffing Attacks 2.Session Hijacking Attacks.
Tools:AR P O I S O NHTTP://WEB.SYR.EDU/~SABUER/ARPOISON/
ARPoison is a command-line tool for UNIX which creates spoofed ARP packets. Users can specify thesource and destination IP/MAC addresses.
E T T E R C A Phttp://ettercap.sourceforge.net/
following procedures:
-Injecting characters into connections
Sniffing encrypted SSH sessions
-Password collection
-OS fingerprinting
-Connection killing.
No comments:
Post a Comment