just a share peaper real word arp spoofing
#1
Table of Contents
PART 1 – THE EXPLOIT 8
Name 8
Operating Systems 8
Protocols/Services/Applications 10
Brief Description 10
Variants 12
References 13
Terminology and conventions 13
PART 2 – THE ATTACK 14
Description and diagram of network 14
Protocol description 15
What is the purpose of the ARP protocol? 15
MAC addresses: the lowest level network name 16
MAC addresses types: Unicast & Broadcast & Multicast 17
ARP packet format 18
How does the ARP protocol work? 20
RFCs security analysis 26
RFC 826: the ARP protocol 26
RFC 1122: ARP requirements for Internet hosts 31
RFC 1812: ARP requirements for Internet routers 33
RFC 1027: Transparent Subnet Gateways – Proxy ARP 34
RFC 1868: ARP extension – UNARP 35
ARP packet types 37
How the exploit works 38
Description and diagram of the attack 40
How can the attacker verify if the attack was successful? 42
ARP spoofing persistence 43
Network citizens 45
ARP spoofing tools 46
Arpplet 46
Other tools available 47
Advanced attacks based on ARP Spoofing 49
Sniffing 49
Denial of Service 49
Transparent proxy 49
Smart IP spoofing 50
ARP protocol security research 51
ARP packet taxonomy: analyzing all ARP packet variations 51
ARP packet taxonomy tests 54
ARP big anomalies tests 63
ARP timeouts: analyzing the ARP cache table 63
ARP timeouts tests 65
OS fingerprinting based on ARP packets 68
Bootstrap and shutdown times research 69
Activating/Deactivating network interfaces 73
ARP parameters by operating system 74
© SANS Institute 2003, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003, As part of GIAC practical repository. Author retains full rights.
“Real World ARP Spoofing” - Raúl Siles Page 5
HA solutions 86
DHCP systems 87
Signature of the attack 88
Using real or fake MAC addresses: pros and cons 89
Signatures based on MAC address selection 91
How to protect against it 93
Physical security 93
Static ARP entries 94
Encryption 95
Filtering devices 95
Switches: advanced network devices 96
“Duplicate IP address” message 102
NIDS 105
HIDS 106
TTL signature 108
Authentication: 802.1x 108
Private VLANS 110
VACLs 112
PART 3 – THE INCIDENT HANDLING PROCESS 113
Preparation 113
Identification 114
Containment 116
Eradication 118
Recovery 119
Lessons Learned 119
Extras 120
LIST OF REFERENCES 122
APPENDIX I: OPERATING SYSTEMS RESEARCHED 130
APPENDIX II: RESEARCH LAB DESCRIPTION 131
APPENDIX III: ARP TIMEOUTS RESEARCH 133
Local tests: [TestTLn] 133
Remote tests: [TestTRn] 134
APPENDIX IV: ARP SPOOFING RESEARCH SCRIPTS 137
ARP spoofing preparation script 137
ARP table status scripts 138
Cisco IOS 138
Unix: HP-UX and Linux 138
Windows 139
Solaris 140
ARP timeouts scripts 140
© SANS Institute 2003, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003, As part of GIAC practical repository. Author retains full rights.
“Real World ARP Spoofing” - Raúl Siles Page 6
ARP packet taxonomy scripts 141
Tests BH 143
Test SK 143
Results 144
APPENDIX V: THE “ARP” COMMAND 145
General arguments comparison 145
Cisco IOS 145
Cisco CatOS 147
HP-UX 11 148
Linux: kernel 2.4 148
Windows 2000 SP3 149
Solaris 8 149
Execution privileges 149
Output format per Operating System 150
APPENDIX VI: FIRST TRAFFIC SEEN IN THE NETWORK 152
APPENDIX VII: ARP FLUX 153
APPENDIX VIII: ARP TABLE SNAPSHOTS 154
ARP static entries for its IP address 154
ARP static entries for another IP network 155
Cisco IOS router or switch 155
HP-UX 10.20 155
HP-UX 11 and 11i 155
Linux kernel 2.4 155
Windows 2000 SP3 155
Solaris 8 155
ARP entries without response 156
Cisco IOS 156
HP-UX 10.20 156
Linux kernel 2.4 156
Windows 2000 156
Solaris 8 156
APPENDIX IX: “ARPPLET” SOURCE CODE 157
APPENDIX XI: GOOGLE STATE OF THE ART 16

giac.org

edited by @junior
I Hear I Forget
I See I Remember
I Do I Understand

#2
(11-04-2012, 03:40 AM)mitunz Wrote: Table of Contents
PART 1 – THE EXPLOIT 8
Name 8
Operating Systems 8
Protocols/Services/Applications 10
Brief Description 10
Variants 12
References 13
Terminology and conventions 13
PART 2 – THE ATTACK 14
Description and diagram of network 14
Protocol description 15
What is the purpose of the ARP protocol? 15
MAC addresses: the lowest level network name 16
MAC addresses types: Unicast & Broadcast & Multicast 17
ARP packet format 18
How does the ARP protocol work? 20
RFCs security analysis 26
RFC 826: the ARP protocol 26
RFC 1122: ARP requirements for Internet hosts 31
RFC 1812: ARP requirements for Internet routers 33
RFC 1027: Transparent Subnet Gateways – Proxy ARP 34
RFC 1868: ARP extension – UNARP 35
ARP packet types 37
How the exploit works 38
Description and diagram of the attack 40
How can the attacker verify if the attack was successful? 42
ARP spoofing persistence 43
Network citizens 45
ARP spoofing tools 46
Arpplet 46
Other tools available 47
Advanced attacks based on ARP Spoofing 49
Sniffing 49
Denial of Service 49
Transparent proxy 49
Smart IP spoofing 50
ARP protocol security research 51
ARP packet taxonomy: analyzing all ARP packet variations 51
ARP packet taxonomy tests 54
ARP big anomalies tests 63
ARP timeouts: analyzing the ARP cache table 63
ARP timeouts tests 65
OS fingerprinting based on ARP packets 68
Bootstrap and shutdown times research 69
Activating/Deactivating network interfaces 73
ARP parameters by operating system 74
© SANS Institute 2003, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003, As part of GIAC practical repository. Author retains full rights.
“Real World ARP Spoofing” - Raúl Siles Page 5
HA solutions 86
DHCP systems 87
Signature of the attack 88
Using real or fake MAC addresses: pros and cons 89
Signatures based on MAC address selection 91
How to protect against it 93
Physical security 93
Static ARP entries 94
Encryption 95
Filtering devices 95
Switches: advanced network devices 96
“Duplicate IP address” message 102
NIDS 105
HIDS 106
TTL signature 108
Authentication: 802.1x 108
Private VLANS 110
VACLs 112
PART 3 – THE INCIDENT HANDLING PROCESS 113
Preparation 113
Identification 114
Containment 116
Eradication 118
Recovery 119
Lessons Learned 119
Extras 120
LIST OF REFERENCES 122
APPENDIX I: OPERATING SYSTEMS RESEARCHED 130
APPENDIX II: RESEARCH LAB DESCRIPTION 131
APPENDIX III: ARP TIMEOUTS RESEARCH 133
Local tests: [TestTLn] 133
Remote tests: [TestTRn] 134
APPENDIX IV: ARP SPOOFING RESEARCH SCRIPTS 137
ARP spoofing preparation script 137
ARP table status scripts 138
Cisco IOS 138
Unix: HP-UX and Linux 138
Windows 139
Solaris 140
ARP timeouts scripts 140
© SANS Institute 2003, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003, As part of GIAC practical repository. Author retains full rights.
“Real World ARP Spoofing” - Raúl Siles Page 6
ARP packet taxonomy scripts 141
Tests BH 143
Test SK 143
Results 144
APPENDIX V: THE “ARP” COMMAND 145
General arguments comparison 145
Cisco IOS 145
Cisco CatOS 147
HP-UX 11 148
Linux: kernel 2.4 148
Windows 2000 SP3 149
Solaris 8 149
Execution privileges 149
Output format per Operating System 150
APPENDIX VI: FIRST TRAFFIC SEEN IN THE NETWORK 152
APPENDIX VII: ARP FLUX 153
APPENDIX VIII: ARP TABLE SNAPSHOTS 154
ARP static entries for its IP address 154
ARP static entries for another IP network 155
Cisco IOS router or switch 155
HP-UX 10.20 155
HP-UX 11 and 11i 155
Linux kernel 2.4 155
Windows 2000 SP3 155
Solaris 8 155
ARP entries without response 156
Cisco IOS 156
HP-UX 10.20 156
Linux kernel 2.4 156
Windows 2000 156
Solaris 8 156
APPENDIX IX: “ARPPLET” SOURCE CODE 157
APPENDIX XI: GOOGLE STATE OF THE ART 16

giac.org

thanks mr. xsan-lahci for correct my language
ok, thanks before for share, but i don't understand it, please explain to us Smile

#3
in english Mr . junior Smile

for Tread Starter, i dont understand about your share... that is just word or tutorial ??

#4
I'm very sorry for my mistake, this paper explains how when dealing with arp modules in side tcp/ip and than exploited with ARP to take over network traffic. like spoofing and poisoning.

i'm so glad if moderator edit my subject thread to correct asp be ARP


I Hear I Forget
I See I Remember
I Do I Understand

#5
(11-04-2012, 08:49 PM)mitunz Wrote: I'm very sorry for my mistake, this paper explains how when dealing with arp modules in side tcp/ip and than exploited with ARP to take over network traffic. like spoofing and poisoning.

i'm so glad if moderator edit my subject thread to correct asp be ARP

ok, i'll edit your thread Smile ^_^






Users browsing this thread: 1 Guest(s)