Categories
Tags Cloud
RSS Feed
2008
Did you ever realize that someone on your network could steal your private data such as your username and password email? It is possible to do with a method called ARP redirect or sometimes called by ARP poisoning. This method is also often used by worms or spyware to hijack your private information gathered by those worms or spyware and sending 'silently' through internet to it's owner without you to be noticed. This is can be avoided by installing antivirus or anti-spyware that monitor and scan your network packet data activity on your network connections.In computer networking, the Address Resolution Protocol (ARP) is the method for finding a host's hardware address when only its Network Layer address is known (wikipedia). It means after your computer is finding a host's IP address, it can resolve that host hardware address (MAC Address) using ARP. For example, my computer connected to the internet through gateway 192.168.1.1. After pinging an IP 192.168.1.1, my computer will resolve it's MAC address 00-19-21-67-f5-b7. In Windows the ARP table that my computer use can be shown by using the arp command in command prompt:
C:\Documents and Settings\Aryo>arp -a Interface: 192.168.1.2 --- 0x2 Internet Address Physical Address Type 192.168.1.1 00-19-21-67-f5-b7 dynamic
From the above example, 00-19-21-67-f5-b7 is MAC Address of 192.168.1.1 host. It was dynamically generated after we ping the host. So any data send through 192.168.1.1 will be sent to host which MAC Address is 00-19-21-67-f5-b7. If someone or something or your network is sniffing or ARP poisoning your packet data, it will inject an ARP data to your computer ARP table.
ARP Poisoning Example
For instance, the hijacking computer have an IP address 192.168.1.9 . After my computer is being 'poisoned' by 192.168.1.9 host (the sniffer), my computer ARP table will be look like this:
C:\Documents and Settings\Aryo>arp -a Interface: 192.168.1.2 --- 0x2 Internet Address Physical Address Type 192.168.1.1 00-14-38-13-2a-f0 dynamic 192.168.1.9 00-14-38-13-2a-f0 dynamic
From the above example, all of my packet data sent to IP address 192.168.1.1 will (also) be sent to 192.168.1.9 because in my ARP table, the host of IP 192.168.1.1 has hardware address 00-14-38-13-2a-f0 which is the hardware address of IP 192.168.1.9. It means, if I send data to 192.168.1.1 the real sending is to 192.168.1.9 host. If the 192.168.1.9 host is also forwarding my sent data to and from the real gateway 192.168.1.1, I may not realize that my network connection is being redirected to 192.168.1.9 without seeing my ARP table. Connection before poisoning:
My computer <------------------> Gateway IP 192.168.1.2 IP 192.168.1.1 Netmask 255.255.255.0 Netmask 255.255.255.0 MAC 00-19-D2-5C-C7-6A MAC 00-19-21-67-f5-b7
If it is only my computer is poisoned and not the gateway, it become:
My computer ----------> Sniffer ---------------> Gateway
<--------------------------------------------------------
IP 192.168.1.2 IP 192.168.1.2 IP 192.168.1.1
Netmask 255.255.255.0 Netmask 255.255.255.0 Netmask 255.255.255.0
MAC 00-19-D2-5C-C7-6A MAC 00-14-38-13-2a-f0 MAC 00-19-21-67-f5-b7
It is called half-routing ARP poisoning. The sniffer only can read data sent from my computer to gateway and not the reverse way. If the gateway is also ARP poisoned, it become:
My computer <---------> Sniffer <--------------> Gateway IP 192.168.1.2 IP 192.168.1.2 IP 192.168.1.1 Netmask 255.255.255.0 Netmask 255.255.255.0 Netmask 255.255.255.0 MAC 00-19-D2-5C-C7-6A MAC 00-14-38-13-2a-f0 MAC 00-19-21-67-f5-b7
It is called full-routing ARP poisoning. The sniffer can also read the data sent from gateway to my computer and vice versa. What if the data sent to gateway is your private and unencrypted data? That's could be a disaster! :-D
How to Prevent an ARP Poisoning?
If you suspect this or if you see duplicated MAC Address with different IP address in ARP table, AND MAKE SURE that the host have only one IP address, you can set a static ARP table for the gateway by using the same arp command. The following is an example to create a static ARP table on your computer.
-
First, clear all ARP data entry by using the command:
C:\Documents and Settings\Aryo>arp -d -
Create a static ARP entry to the gateway by using the following command:
C:\Documents and Settings\Aryo>arp -s 192.168.1.1 00-19-21-67-f5-b7
Now the ARP entry for the gateway will become a static entry and it can not be cleared until you delete it manually or restarting your computer. Here's the differences between static and dynamic arp looks like.
C:\Documents and Settings\Aryo>arp -a Interface: 192.168.1.2 --- 0x2 Internet Address Physical Address Type 192.168.1.1 00-19-21-67-f5-b7 static 192.168.1.111 00-11-22-33-44-55 dynamic
Well, hope this article helps. Any comments, questions or corrections are welcome.
Posted under Tutorial categories.
Tagged: Scripting, Networking
Write Your Comments
* Your email is required to submit this form, and it will not be published or shared without your consent. We use your email address to show your avatar picture profile from Gravatar. Don't have one? Then sign up to gravatar and create your own here.
We also filters your comment against SPAM because we hate SPAM as much as you do. If your comment is recognized as SPAM then it will be moderated, otherwise it will shows up immediately.
147 Hits