CCIE NETWORK UNDER ATTACK Ep.1 ArP_Sp00f1ng
ARP SPOOFING ATTACK AND DEFENSE
Study and understand protocols, attack and defense techniques to protect you, your family and company that you working for.
ARP — Address resolution Protocol
ARP is a well-kown protocol used on network switched based (ethernet) and Local Network. Its proposal map IPv4 to MAC addresses. ARP as defined in RFC826 involves 2 transactions betweem nodes, namely:
- ARP REQUEST: Broadcast frame to discovery MAC address of specifique IP
- ARP REPLAY: Unicast frame to response resquests.
ARP ATTACK
Because ARP doesn’t authenticate users who send ARP Replay, a simple arp spoof can be used to DOS or M-I-T-M.
ARP SPOOFING — Protocol dissection
The following image shows a screenshot of the packet capture during a ARP transaction.
The Experiment
In this lab, let us use EVE-NG, a network simulation tool, Router and switch cisco, Linux debian as an attack and standard use.
Network Topology
ATTACK
Let’s check DHCP binding
!GATEWAY — Router Cisco IOS
IP 10.0.0.1
MAC:aabb.cc00.5010
!STANDARD USER
10.0.0.101 (DHCP)
MAC:0050.0000.0300
!ATTACKER
10.0.0.100 (DHCP)
MAC:0050.0000.0400Standard user conectivity and ARP cache before start arp spoofing:
$ ping 10.0.0.1 -c 2 ; ping 8.8.8.8 -c 2
# arp
Run the binary arpspoofing to start:
!install dsniff
sudo apt install dsniff -y
!arp poison
sudo arpspoof -t 10.0.0.101 10.0.0.1
Observation
On standard user terminal, run arp and observe that duplicate attacket mac for both IPv4 address 10.0.0.1(gateway) and 10.0.0.100 (bia).
Why?
Observer the running packet capture.
DEFENSE
With security feature Dynamic ARP Inspection and DHCP Snoop, network administrator can intercept, log and discard ARP packets with invalid MAC address to IP address bindings.
Unfortunately, I had some trouble during switch virtualization. Some tools that include port mirror, DHCP Snooping and ARP Inspection doesn’t work well. Will be necessary physical switch to applied defense techiques.
