arp hazards
TRANSCRIPT
![Page 1: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/1.jpg)
1Mike Beekey- Black Hat Briefings ‘01
ARP Vulnerabilities
Indefensible Local Network Attacks?
Mike Beekey
![Page 2: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/2.jpg)
2Mike Beekey- Black Hat Briefings ‘01
Overview
• ARP Refresher• ARP Vulnerabilities• Types of Attacks• Vulnerable Systems• Countermeasures• Detection• Tools and Utilities• Demonstrations
![Page 3: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/3.jpg)
3Mike Beekey- Black Hat Briefings ‘01
ARP Refresher
![Page 4: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/4.jpg)
4Mike Beekey- Black Hat Briefings ‘01
ARP Message Formats
• ARP packets provide mapping between hardware layer and protocol layer addresses
• 28 byte header for IPv4 ethernet network– 8 bytes of ARP data– 20 bytes of ethernet/IP address data
• 6 ARP messages– ARP request and reply– ARP reverse request and reply– ARP inverse request and reply
![Page 5: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/5.jpg)
5Mike Beekey- Black Hat Briefings ‘01
ARP Request Message
• Source contains initiating system’s MAC address and IP address
• Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff
![Page 6: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/6.jpg)
6Mike Beekey- Black Hat Briefings ‘01
ARP Reply Message
• Source contains replying system’s MAC address and IP address
• Destination contains requestor’s MAC address and IP address
![Page 7: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/7.jpg)
7Mike Beekey- Black Hat Briefings ‘01
ARP Vulnerabilities
![Page 8: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/8.jpg)
8Mike Beekey- Black Hat Briefings ‘01
Unsolicited ARP Reply
• Any system can spoof a reply to an ARP request
• Receiving system will cache the reply– Overwrites existing entry– Adds entry if one does not exist
• Usually called ARP poisoning
![Page 9: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/9.jpg)
9Mike Beekey- Black Hat Briefings ‘01
Types of Attacks
![Page 10: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/10.jpg)
10Mike Beekey- Black Hat Briefings ‘01
Types of Attack
• Sniffing Attacks
• Session Hijacking/MiM
• Denial of Service
![Page 11: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/11.jpg)
11Mike Beekey- Black Hat Briefings ‘01
Sniffing on a Hub
CISCOSYSTEMS
Sniffer Source Destination
Hub
![Page 12: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/12.jpg)
12Mike Beekey- Black Hat Briefings ‘01
Switch Sniffing
• Normal switched networks– Switches relay traffic between two stations based
on MAC addresses– Stations only see broadcast or multicast traffic
• Compromised switched networks– Attacker spoofs destination and source addresses– Forces all traffic between two stations through its
system
![Page 13: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/13.jpg)
13Mike Beekey- Black Hat Briefings ‘01
Host to Host Exploit
Spoofed ARP ReplyCReal ARP Reply
Broadcast ARP RequestSpoofed ARP ReplyS
Client (C) Server (S) Hostile
![Page 14: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/14.jpg)
14Mike Beekey- Black Hat Briefings ‘01
Host to Router Exploit
Real ARP Reply
Broadcast ARP Request
CISCOSYSTEMS
Spoofed ARP ReplyC
Spoofed ARP ReplyR
Client (C) Gateway Router (R) Hostile
![Page 15: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/15.jpg)
15Mike Beekey- Black Hat Briefings ‘01
Relay Configuration
Alice Bob
0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.10
Attacker
![Page 16: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/16.jpg)
16Mike Beekey- Black Hat Briefings ‘01
Relay Configuration (cont.)
CISCOSYSTEMS
Sniffer Source Destination
Switch
![Page 17: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/17.jpg)
17Mike Beekey- Black Hat Briefings ‘01
Sniffing Comments
• Depending on traffic content, attacker does NOT have to successively corrupt cache of both endpoints
• Useful when “true” permanent ARP entries are used or OS is not vulnerable to corruption
![Page 18: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/18.jpg)
18Mike Beekey- Black Hat Briefings ‘01
Session Hijacking/MiM
• Natural extension of sniffing capability
• “Easier” than standard hijacking– Don’t have to deal with duplicate/un-sync’d
packets arriving at destination and source– Avoids packet storms
![Page 19: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/19.jpg)
19Mike Beekey- Black Hat Briefings ‘01
Denial of Service
• Spoofing the destination MAC address of a connection will prevent the intended source from receiving/accepting it
• Benefits– No protocol limitation– Eliminates synchronization issues
• Examples– UDP DoS– TCP connection killing instead of using RST’s
![Page 20: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/20.jpg)
20Mike Beekey- Black Hat Briefings ‘01
DoS MAC Entries
Alice Bob
0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2
a:b:c:1:2:3- 10.1.1.7 0:c:3b:1c:2f:1b 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.10
Attacker
![Page 21: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/21.jpg)
21Mike Beekey- Black Hat Briefings ‘01
Denial of Service Examples
![Page 22: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/22.jpg)
22Mike Beekey- Black Hat Briefings ‘01
Web Surfing
• Web surfers require gateway router to reach Internet
• Method– Identify surfer’s MAC address– Change their cached gateway MAC
address (or DNS MAC address if local) to “something else”
![Page 23: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/23.jpg)
23Mike Beekey- Black Hat Briefings ‘01
Network-based IDS
• Poorly constructed (single homed) IDS network systems relay auditing data/alerts to management/admin consoles
• Method– Identify local IDS network engine– Modify gateway MAC address– Modify console/management station
address
![Page 24: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/24.jpg)
24Mike Beekey- Black Hat Briefings ‘01
Hostile Users
• Attacker continuously probing/scanning either your system or other target
• Method– Scanning you– Scanning a system under your protection
![Page 25: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/25.jpg)
25Mike Beekey- Black Hat Briefings ‘01
Switch Attacks
• Certain attacks may overflow switch’s ARP tables
• Method– A MAC address is composed of six bytes
which is equivalent to 2^48 possible addresses
– See how many randomly generated ARP-replies or ARP requests it takes before the switch “fails”
![Page 26: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/26.jpg)
26Mike Beekey- Black Hat Briefings ‘01
Switch Attacks (cont.)
• Switches may– Fail open- switch actually becomes a hub– Fail- no traffic passes through the switch,
requiring a hard or soft reboot
![Page 27: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/27.jpg)
27Mike Beekey- Black Hat Briefings ‘01
Network “Bombs”
• “Hidden” application installed on a compromised system
• Method– Passively or actively collects ARP entries– Attacker specifies timeout or future time– Application transmits false ARP entries to
its list
![Page 28: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/28.jpg)
28Mike Beekey- Black Hat Briefings ‘01
Vulnerable Systems
![Page 29: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/29.jpg)
29Mike Beekey- Black Hat Briefings ‘01
Operating Systems
• Windows 95• Windows 98• Windows NT• Windows 2000• AIX 4.3
• HP 10.2• Linux RedHat 7.0• FreeBSD 4.2• Cisco IOS 11.1• Netgear
![Page 30: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/30.jpg)
30Mike Beekey- Black Hat Briefings ‘01
Not Vulnerable
• Sun Solaris 2.8– Appears to resist cache poisoning
![Page 31: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/31.jpg)
31Mike Beekey- Black Hat Briefings ‘01
Countermeasures
![Page 32: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/32.jpg)
32Mike Beekey- Black Hat Briefings ‘01
Firewalls
• Most “personal” firewalls are not capable of defending against or correctly identifying attacks below IP level
• UNIX– ipfw– ipf (IP Filter)
• Windows environments– Network Ice/Black Ice©
![Page 33: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/33.jpg)
33Mike Beekey- Black Hat Briefings ‘01
Session Encryption
• Examples– Establishing VPNs between networks or
systems– Using application-level encryption
• Effects– Prevents against disclosure attacks– Will not prevent against DoS attacks
![Page 34: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/34.jpg)
34Mike Beekey- Black Hat Briefings ‘01
Strong Authentication
• Examples– One-time passwords– Certificates
• Effects– None on disclosure attacks– None on DoS attacks
![Page 35: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/35.jpg)
35Mike Beekey- Black Hat Briefings ‘01
Port Security
• Cisco switches– set port security ?/? enable <MAC address>
– Restricts source MAC addresses• Hard coded ones• “Learned” ones
– Ability to set timeouts– Ability to generate traps– Ability to “shutdown” violating port
![Page 36: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/36.jpg)
36Mike Beekey- Black Hat Briefings ‘01
Port Security (Cont.)
• Issues– Only restricts source MAC addresses– Will not prevent against ARP relay attacks– Will only prevent against ARP source
spoofing attacks
![Page 37: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/37.jpg)
37Mike Beekey- Black Hat Briefings ‘01
Hard Coding Addresses
• Example– Individual systems can hard code the
corresponding MAC address of another system/address
• Issues– Management nightmare– Not scalable– Not supported by some OS vendors
![Page 38: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/38.jpg)
38Mike Beekey- Black Hat Briefings ‘01
Hard Coding Results
Operating System ResultsWindows 95 FAIL
Windows 98 FAIL
Windows NT FAIL
Windows 2000 FAIL
Linux RedHat 7.0 YES
FreeBSD 4.2 YES
Solaris 2.8 YES
![Page 39: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/39.jpg)
39Mike Beekey- Black Hat Briefings ‘01
Countermeasure Summary
SniffingSession Hijacking
Denial of Service
Firewalls
Session Encryption
Strong Authentication
Port Security
Hard Coding
![Page 40: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/40.jpg)
40Mike Beekey- Black Hat Briefings ‘01
Detection
![Page 41: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/41.jpg)
41Mike Beekey- Black Hat Briefings ‘01
HostileSystem
ManagementConsole
NetworkMonitor
Monitored Network
CriticalServer
IDS Architecture Issues
HostileSystem
ManagementConsole
NetworkMonitor
Monitored Network
CriticalServer
![Page 42: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/42.jpg)
42Mike Beekey- Black Hat Briefings ‘01
OS Level Detection
Operating System
Detection
Windows 95 NO
Windows 98 NO
Windows NT NO
Windows 2000 NO
Linux RedHat 7.0 NO
FreeBSD 4.2 YES
![Page 43: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/43.jpg)
43Mike Beekey- Black Hat Briefings ‘01
Hypothetical Detection Application
• Purpose– Track and maintain ARP/IP pairings– Identify non-standard ARP-replies versus
acceptable ones• Timeout issues
– OS must withstand corruption itself– Fix broken ARP entries of systems
• Transmission of correct ARP replies
![Page 44: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/44.jpg)
44Mike Beekey- Black Hat Briefings ‘01
Tools and Utilities
![Page 45: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/45.jpg)
45Mike Beekey- Black Hat Briefings ‘01
Public Domain Tools
• Manipulation– Dsniff 2.3– Hunt 1.5– Growing number of others
• Local monitoring– Arpwatch 1.11
![Page 46: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/46.jpg)
46Mike Beekey- Black Hat Briefings ‘01
Bibliography
• Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984
• Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000
• Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996
• Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982
• Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000
• Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000
![Page 47: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/47.jpg)
47Mike Beekey- Black Hat Briefings ‘01
Demonstrations
![Page 48: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/48.jpg)
48Mike Beekey- Black Hat Briefings ‘01
Demo Environment
CISCOSYSTEMS
802.11b
172.16.10.133Win2k
172.16.10.25FreeBSD 4.2
172.16.10.30Linux Redhat
172.16.10.40FreeBSD/ Win2k
![Page 49: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/49.jpg)
49Mike Beekey- Black Hat Briefings ‘01
Demonstration Tools
• rfarp 1.1– Provides ARP relay capability and packet dump
for two selected stations– Corrects MAC entries upon exiting
• farp 1.1b– Passive and active collection of ARP messages– DoS Attacks on single hosts– DoS Attacks on entire collection– Arbitrary and manual input of spoofed MAC
addresses
![Page 50: ARP Hazards](https://reader034.vdocument.in/reader034/viewer/2022042504/547f34845906b5b5718b47de/html5/thumbnails/50.jpg)
50Mike Beekey- Black Hat Briefings ‘01
ARP Attacks
• Disclosure attacks– ARP relaying for a single target– Sniffing attacks
• DoS related– Port scan defense– DoS attacks on a single host, group, or
subnet