Home arrow Security arrow Page 4 - LAN Reconnaissance

4.3 Dealing with Static ARP Tables - Security

If you're trying to keep your LAN secure, sometimes it helps to think like a cracker. This article shows you how to scout out a LAN, and how malicious hackers get around security. It is excerpted from chapter four of Security Power Tools, written by Bryan Burns et. al. (O'Reilly, 2007; ISBN: 0596009631). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:
  1. LAN Reconnaissance
  2. 4.1 Mapping the LAN
  3. 4.2 Using ettercap and arpspoof on a Switched Network
  4. 4.3 Dealing with Static ARP Tables
  5. 4.4 Getting Information from the LAN
  6. 4.5 Manipulating Packet Data
By: O'Reilly Media
Poor Best
Rating: starstarstarstarstar / 5
November 13, 2008

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

If the LAN you are sniffing uses static ARP mapping, or retains ARP information for a very long time, normal ARP poisoning will not work because each host ignores any ARP Reply messages you send.

Even though it is not stealthy in the least, my favorite way is to use ettercap’s port mode and basically blast the existing hosts out of the switch’s internal MAC table. It is going to take some explaining to truly appreciate how this works.

When you use ettercap’s port mode, it floods the network with crafted ARP packets. Each packet has the source MAC set to a valid network host and the destination MAC set to your sniffer’s interface. This accomplishes two tasks. First, you fool the switch into creating a connection for every host on the network and your network interface. Secondly, you stand a very good chance of knocking every other entry in the switch’s MAC table out. For a moment, the switch sends packets originally destined for another host to your network port, and from there the packets go to your interface. Under normal circumstances, your interface would recognize that these packets are destined for a different MAC and ignore them, but in this case, ettercap accepts the packets and records the valid destination MAC. Then, ettercap sends an ARP Request packet to the valid MAC and waits for an ARP Reply to come from that machine. When the ARP Reply is received, ettercap knows that the switch has sorted everything out again, and so it repeats the process of flooding the LAN with crafted ARP packets.

Amazingly, this works well enough to capture most, if not all, of the traffic between any two hosts:

  [lou@duodenum] ettercap –Tq –M port:remote

ettercap can also circumvent static ARP tables using crafted ICMP Redirect packets. Basically, ettercap is telling the other hosts on the LAN that it is a better gateway than the default router. Unfortunately, this technique results in a half-duplex sniffing session; you can see traffic that the internal hosts are sending out, but the replies from systems beyond the gateway are not intercepted:

  [lou@duodenum] ettercap –Tq –M icmp:00:0A:5E:02:3B:B3/192.168.2.1

ettercap’s dhcp MITM mode takes a long time because you have to wait for a host to renew their DHCP lease; however, if you are interested in how it works, the ettercap manpage covers it in detail.

Using macof to Stupefy a Switch

dsniff handles the problem of static ARP tables in a different way. The MAC OverFlow (macof) program floods the switch and the rest of the network with bogus MAC addresses with the intention of overloading the switch’s processor and memory limitations and forcing the switch to revert to hub mode. A surprising number of switches actually do this; rather than drop packets when overloaded, the switch willingly turns off the switching features designed to provide speed and drops to a hub mode, spamming every Ethernet frame it sees to every port. If this happens, you will suddenly start receiving frames intended for some other port, and you can begin sniffing as if you were connected to a hub. Once the network quiets down, the switch regains its composure. To prevent this from happening, stick macof into a simple while loop to have it run periodically:

  [lou@duodenum] while [ 1 ] ; do macof
–n 300000 ; sleep 59 ; done

The–noption sets the number of packets to send.

Super-Stealthy Sniffing

The bridge mode in ettercap requires two interfaces and proper positioning on the network segment. If you set up your machine inline with the network bridge or a router and enable bridged mode, you are very difficult to detect. Also, you are in a good position to play around with the data inside packets traversing your sniffer:

  [lou@duodenum] ettercap -Tq –i eth0 -B eth1

The-ioption sets the primary interface (here it’seth0), and the-Boption sets the second bridging interface.

Since bridged mode requires two interfaces, casual sniffing on the LAN with a laptop is more difficult. The reason you may be interested in using bridged mode is that it is stealthy. You do not have to spray the LAN with ARP packets, nor do you have to win any DHCP races with some random server. You can sit quietly and intercept packets without putting any of your interfaces into promiscuous mode.

If you like to run ettercap using the curses or GTK+ user interface, you can enable bridged mode when ettercap first starts by selecting the menu item “Sniff -> Bridged sniffing...” as shown in Figure4-3.

Once you have established yourself in bridge mode, sniffing and other functions are mostly the same as using Unified Sniffing mode, aside from some incompatibilities with a few MITM modes. The manpage contains a good explanation of what is going on.

 Dealing with Static ARP Tables


Figure 4-3.  Enabling bridge mode sniffing



 
 
>>> More Security Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
Find More Security Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: