Introduction

Up until now all the main stream information about sniffing a switched network has told you that if you are host c trying to watch traffic between host a and b it's impossible because they are inside of different collision domains.

This document will teach you that it is possible due to flaws and security problems within TCP/IP.

We will be utilizing two programs one is called arpspoof and the other fragrouter.

TCP/IP Overview

As most of you know TCP/IP utilizes ARP (Address Resolution Protocol) to convert IP addresses into hardware addresses. This hardware address is referred to as a MAC (Media Access Control) address. Once the destination's MAC address is determined, the encapsulated IP packed can be transmitted to the host. Every host on the network must have a unique MAC address for them to communicate on an Ethernet LAN.

Within Ethernet ARP there are four types of messages:

ARP request - A request for a destination hosts MAC address this is usually sent to all hosts in a broadcast domain.

ARP reply - This is a response to the ARP request and tells the hardware address of the destination host.

RARP request - This is a Reverse ARP request. This requests the IP address of a known MAC address.

RARP reply - This is a response to the RARP request and tells the IP address of the requested MAC address

All Ethernet hosts and switches keep a list of known MAC addresses and their corresponding IP address. The only time a ARP request is sent to the network is when a request for an IP address NOT in the hosts table is requested which occurs when a new host is requested or when the MAC entry on the table times out.

Sniffing traffic on network utilizing a hub is easy because all traffic is transmitted to each host on the network. Sniffing a switched network presents a problem because the switch knows which MACs are plugged into which ports, the only time a broadcast is sent to the entire network is when an ARP or RARP request is sent out.

Since there is no way built into TCP/IP to verify which MACs are associated with which IP addresses but to ask or look it it's ARP table this opens TCP/IP up for exploitation.

So the goal of a malicious hacker would be to trick your system into updating it's ARP table so that data goes to the attacker instead.

There are many ways to do this, but for the purpose of this document we will cover arpspoof from dsniff.

Network Setup

We have a pretty basic network setup here 3 hosts connect by a switch.

HostA: 192.168.0.2 MAC: 00:08:74:95:65:11

HostB: 192.168.0.3 MAC: 00:08:74:46:EB:08

HostC: 192.168.0.4 MAC: 00:02:B3:A4:7F:8B

For the purpose of this document we are HostC a linux box. Host B and Host C or something else, doesn't really matter HostA could be a Sun box and HostB could be it's default router, HostA could be a PC and HostB a Sun box, etc...

On HostC will will download and install dsniff

Src: /

Pkg:

On HostC we will also download and install fragrouter



>> tar zxvf fragrouter-1.6.tar.gz

>> ./configure

>> make

>> make install

Running Fragrouter

This app is very simple. We just want to do normal IP forwarding, we want the traffic to make it to the destination we just want to see it first.

>> fragrouter -B1

Running ARPSPOOF

The man page gives a completed explanation of how to use arpspoof. Of this document we will run arp spoof like this (again we want to watch traffic from host a to host b)

>> arpspoof -t HostA HostB

The man page for arpspoof says that -t . Target is the box that you want to spoof the arp tables on, meaning we want to update HostA's ARP tables telling it that the MAC address of HostB is 00:02:B3:A4:7F:8B (which is you look above is the MAC address of HostC.

Frgrouter will just route the packets on to HostB.

Preventing Against This Type of Attack

Well there are a few ways to go about this.

1) You can gather all the MAC information for every host on your network and feed that into a startup script using arp -p. The problem with this is that every host will need to be updated if/when a network card gets replaced. -- BAD IDEA

2) Solaris - Change the default arp_cleanup_interval. The default is 5 min. which means Solaris keeps arp values in it's arp cache for 5 minutes.

ndd -set /dev/arp arp_cleanup_interval 6000

3) Arpwatch - This is one of the greatest tools for protecting your self against this type of attack.

You can download for linux from rpmfind.net and Solaris from sunfreware.com.

Example of logs:

Jun 23 10:22:02 hostA arpwatch: new station 192.168.0.5 00:02:B3:A4:7F:8B

Jun 23 10:22:02 hostA arpwatch: changed ethernet address 192.168.0.3 00:02:B3:A4:7F:8B

(00:08:74:46:EB:08)

The log on hostA which is running arpwatch show that hostB's (192.168.0.3) MAC address has changed to what we know is hostC. You can easily setup scripts which monitor for this type of activity.

In Summary

As you can tell this document provides a basis for arp spoofing, however this basic idea lays the way for SSH and SSL man-in-the-middle attacks. Once a box is compromised and used as a gateway in a network the entire network's security becomes open for exploitation.

About The Author

Brian Carpio is a senior Solaris/Linux system architect and has worked for some of the largest companies in the world. Currently he is a freelance Linux/Solaris consultant for his own company, The Tek, LLC.