This entry continues where Sniffing Networks Part 1 left off. If you didn’t read it, as long as you understand how switches work and why we have MAC addresses, you’ll be able to understand this entry.
The physical wire may talk in MAC addresses, but when’s the last time you typed a MAC address into a browser location bar? (You haven’t, except by accident, and certainly not expecting to get anywhere with it.) Computers talk in IP addresses, not MAC addresses, so how does the switch know what port to send the packet on to if it’s only given the IP address? Address Resolution Protocol, or ARP. ARP is another table that lives in each router (and computer) to map IP addresses to MAC addresses. Not only does each switch and router have an ARP table, each computer does as well (since there can be multiple interfaces on a system). You can look at your ARP table by typing arp -a in most operating systems. Below, I’ve included screenshots of arp -a in OS X (on a fairly large network), and Windows (on a “private” VMware network).
As you can see, the information is presented differently on each system, but the fundamental information is the same: IP address to MAC address mapping. The OSX screenshot has a lot of “ghost” entries because the network is more dynamic – the 192.168.0.0 network is the wireless interface (en2), and I had used the machine to provide “Internet sharing” over both of the Ethernet ports to a system that hadn’t yet had wireless configured on it. The “ghost” entries, where the (incomplete) is found are laptops that come and go on the network (and they just happen to be off at the moment). Once I reboot this machine, that table will be fairly empty. It will very quickly fill up with the gateway and DNS information, since that’s accessed almost immediately. And if it’s a windows network, it’ll start talking to all of the other machines and fill up pretty quickly. What does this mean for sniffing? This is how ARP spoofing is done.
In order for all of these tables to be built, ARP and RARP (Reverse ARP) packets are being sent over the network. When a machine needs to talk to another IP address, it has to find out what the MAC address is, so it sends out an ARP packet saying “who has IP address“. Someone (hopefully the legitimate machine), says “I have it”. If the machine is on another network, the router that knows how to get to that network will say “I have it” in place of that machine. The asking machine then dutifully stores that information for future use, so it can be polite and not shout to the network again. Some machines send what’s called a gratuitous ARP when they boot to let everyone else know they’re there – this happens a lot when a machine boots up, so that any old MAC addresses are flushed out of the cache of other machines on the network.
It’s the gratuitous ARP that sniffers take advantage of. They send out this unsolicited message that says, “Look! Here I am! This is my IP and MAC address.” All other machines dutifully update their ARP tables and start sending packets destined for that IP address to the attacker/sniffer. You can see where this leads.
How do you detect ARP spoofing? Watching the ARP table for changes is a start. Both arpwatch for Unix and Xarpv2 for Windows will notify you if an ARP table changes. However, there are legitimate uses for ARP spoofing. You know when you go to a hotel and you’re redirected to a login/payment page? That’s likely using ARP spoofing. So, your watcher would notify you, and it’d be a false alarm. ARP spoofing is also used in high availability computing so that one machine can “take over” for another when needed.
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!