ARP Cache Poisoning of Switched Network

In my previous article Sniffing a switched network i gave an introduction, on how a switched networked can be sniffed and what are the popular different techniques. In this article i am explaining one of the techniques i discussed in my previous  article.

The ARP Process

The two main types of packet addressing are at layers 2 and 3 of the OSI model. These layer 2 addresses, or MAC addresses, are used in conjunction with whichever layer 3 addressing system you are using. In this book, in accordance with industry-standard terminology, I refer to the layer 3 addressing system as the IP addressing system. All devices on a network communicate with each other on layer 3 using IP addresses. Because switches operate on layer 2 of the OSI model, they are

cognizant of only layer 2 MAC addresses, so devices must be able to include this information in packets they construct. When a MAC address is not known, it must be obtained using the known layer 3 IP addresses to be able to forward traffic to the appropriate device. This translation process is done through the layer 2 protocol ARP. The ARP process, for computers connected to Ethernet networks, begins when one computer wishes to communicate with another. The transmitting computer first checks its ARP cache to see if it already has the MAC address associated with the IP address of the destination computer. If it does not, it sends an ARP request to the data link layer broadcast address FF:FF:FF:FF:FF:FF, as discussed in Chapter 1. As a broadcast packet, this packet is received by every computer on that particular Ethernet segment. The packet basically asks, “Which IP address owns the XX:XX:XX:XX:XX:XX MAC address?”

Devices without the destination computer’s IP address simply discard this ARP request. The destination machine replies to the packet with its MAC address via an ARP reply. At this point, the original transmitting computer now has the data link layer addressing information it needs to communicate with the remote computer, and it stores that information in its ARP cache for

fast retrieval.

How ARP Cache Poisoning Works

ARP cache poisoning, sometimes called ARP spoofing, is the process of sending ARP messages to an Ethernet switch or router with fake MAC (layer 2) addresses in order to intercept the traffic of another computer. Figure illustrates this setup.

ARP cache poisoning is an advanced form of tapping into the wire on a switched network. It is commonly used by attackers to send falsely addressed packets to client systems in order to intercept certain traffic or cause denialof- service (DoS) attacks on a target. However, it can also be a legitimate way to capture the packets of a target machine on a switched network.

Tapping out a Switched Network

In my previous article Sniffing a switched network i gave an introduction, on how a switched networked can be sniffed and what are the popular different techniques. In this article i am explaining one of the techniques i discussed in my previous  article.

A network tap is a hardware device that you can place between two points on your cabling system in order to capture the packets between those two points. As with hubbing out, you place a piece of hardware on the network that allows you to capture the packets you need. The difference is that rather

than using a hub, you use a specialized piece of hardware designed for network analysis. There are two primary types of network taps: aggregated and non aggregated. Both types of taps sit in between two devices in order to sniff the communications. The primary difference between an aggregated tap and a non aggregated tap is that the non aggregated tap has four ports and the aggregated tap only has three ports. Taps also typically require a power connection, although some include batteries for brief stints of packet sniffing without the need to plug into a power receptacle.

Aggregated Taps

The aggregated tap is the simplest to use. It has only one physical monitor port for sniffing bidirectional traffic. To capture all traffic to and from a single computer plugged into a switch using an aggregated tap, follow these steps:

1. Unplug the computer from the switch.
2.  Plug one end of a network cable into the computer, and plug the other end into the tap’s “in” port.
3.  Plug one end of another network cable into the tap’s “out” port, and plug the other end into the network switch.
4. Plug one end of a final cable into the tap’s “monitor” port, and plug the other end into the computer that is acting as your sniffer.

The aggregated tap should be connected as shown in Figure. At this point, your sniffer should be capturing all traffic in and out of the computer you’ve plugged into the tap.

Non aggregated Taps

The nonaggregated tap is slightly more complex than the aggregated type, but it allows a bit more flexibility when capturing traffic. Instead of a single monitor port that can be used to listen to bidirectional communication, the nonaggregated type has two monitor ports. One monitor port is used for sniffing traffic in one direction (from the computer connected to the tap), and the other monitor port is used for sniffing traffic in the other direction (to the computer connected to the tap).

To capture all traffic to and from a single computer plugged into a switch,

follow these steps:

1. Unplug the computer from the switch.
2. Plug one end of a network cable into the computer, and plug the other end into the tap’s “in” port.
3. Plug one end of another network cable into the tap’s “out” port, and plug the other end into the network switch.
4. Plug one end of a third network cable into the tap’s “monitor A” port, and plug the other end into one NIC on the computer that is acting as your sniffer.
5.  Plug one end of a final cable into the tap’s “monitor B” port, and plug the other end into a second NIC on the computer that is acting as your sniffer.

The nonaggregated tap should be connected as shown in Figure

Choosing a Network Tap

Given the difference between these two types of taps, which one is better? In most situations, aggregated taps are preferred, because they require less cabling and don’t need two NICs on your sniffer computer. However, in situations where you are capturing a high volume of traffic or care about traffic going in only one direction, nonaggregated taps are beneficial.

Hubbing a Swiched Network

In my previous article Sniffing a switched network i gave an introduction, on how a switched networked can be sniffed and what are the popular different techniques. In this article i am explaining one of the techniques i discussed in my previous  article.

Another way to capture the traffic through a target device on a switched network is by hubbing out. This is a technique by which you segment the target device and your analyser system on the same network segment by plugging them directly into a hub. Many people think of hubbing out as cheating, but it’s really a perfect solution in situations where you can’t perform port mirroring but still have physical access to the switch the target device is plugged into.

To hub out, all you need is a hub and a few network cables. Once you

have your hardware, connect it as follows:

1. Go to the switch the target device resides on and unplug the target fro the network.

1. Plug the target’s network cable into your hub.

1. Plug in another cable that connects your analyzer to the hub.

1. Plug in a network cable from your hub to the network switch to connect the hub to the network.

Now you have basically put the target device and your analyzer in the same broadcast domain, and all traffic from your target device will be broadcast so that the analyzer can capture those packets, as illustrated in Figure

In most situations, hubbing out will reduce the duplex of the target device from full to half. While this method isn’t the cleanest way to tap into the wire, it’s sometimes your only option when a switch does not support port mirroring. But keep in mind that your hub will also require a power

connection, which can be difficult to find in some instances.

Finding True Hub

When hubbing out, be sure that you’re using a true hub and not a falsely labeled switch. Several networking hardware vendors have a bad habit of marketing and selling a device as a hub when it actually functions as a low-level switch. If you aren’t working with a proven, tested hub, you will see only your own traffic, not that of the target device. When you find a hub, test it to make sure it really is a hub. If it is, it’s a keeper! The best way to determine whether or not a device is a true hub is to hook up a pair of computers to it and see if one computer can sniff traffic between the other computer

and various other devices on the network, such as another computer or a printer. If so, that’s a true hub. Since hubs are so antiquated, they are not really mass-produced anymore. It’s almost impossible to buy a true hub off the shelf, so you’ll need to be creative in order to find one.  eBay can be a good source of hubs, but be wary, as you may run into the same issue with switches mislabeled as hubs.

Port Mirroring a Switched Network

In my previous article Sniffing a switched network i gave an introduction, on how a switched networked can be sniffed and what are the popular different techniques. In this article i am explaining one of the techniques i discussed in my previous article.

Port mirroring, or port spanning, is perhaps the easiest way to capture the traffic from a target device on a switched network. In this type of setup, you must have access to the command-line or web-management interface of the switch on which the target computer is located. Also, the switch must support port mirroring and have an empty port into which you can plug your sniffer. To enable port mirroring, you issue a command that forces the switch to copy all traffic on one port to another port. For instance, to capture the traffic from a device on port 3 of a switch, you could simply plug your analyzer into port 4 and mirror port 3 to port 4, allowing you to see all traffic transmitted and received by your target device. Figure illustrates port mirroring.

The way that you set up port mirroring depends on the manufacturer of your switch. For most switches, you’ll need to log in to a command-line interface and enter the port mirroring command. 

When port mirroring, be aware of the throughput of the ports you are mirroring. Some switch manufacturers allow you to mirror multiple ports to one individual port, which may be very useful when analyzing the communication between two or more devices on a single switch. However, let’s consider what will happen using some basic math. If you have a 24-port switch and you mirror 23 full-duplex 100Mbps ports to one port, you could potentially have 4,600Mbps flowing to that port. This is well beyond the physical threshold of a single port, so it could cause packet loss or network slowdowns if the traffic reached a certain level. In these situations, switches have been known to completely drop excess packets or even “pause” their internal circuitry, preventing communication altogether. Be sure that this type of situation doesn’t occur when you are trying to perform your capture.

Difference Between Hub and Switch

There is a common misunderstanding in these two hardware pieces which are commonly doing the dirty work of networking in almost every network in this artcile i will describe the differnce between these two.

Hubs

 A hub is generally a box with multiple ports. They range from very small to large depending on the requirement. Because hubs can generate a lot of unnecessary network traffic and are

capable of operating only in half-duplex mode (they cannot send and receive

data at the same time), you won’t typically see them used in most modern or

high-density networks (switches are used instead). 

A hub is no more than a repeating device that operates on the physical

layer of the OSI model. It takes packets sent from one port and transmits

(repeats) them to every other port on the device. For example, if a computer

on port 1 of a 4-port hub needs to send data to a computer on port 2, the

hub sends those packets to ports 1, 2, 3, and 4. The clients connected to

ports 3 and 4 examine the destination Media Access Control (MAC) address

field in the Ethernet header of the packet, and they see that the packet is not

for them, so they drop (discard) the packet. Figure 1-5 illustrates an example

in which computer A is transmitting data to computer B. When computer A

sends this data, all computers connected to the hub receive it. Only computer B

actually accepts the data; the other computers discard it.

The best alternatives to hubs in production and high-density networks

are switches, which are full-duplex devices that can send and receive data

synchronously.

Switches

Like a hub, a switch is designed to repeat packets. However, unlike a hub,

rather than broadcasting data to every port, a switch sends data to only the

computer for which the data is intended.

Switches also offer advanced functionality when it comes to handling

transmitted packets. In order to be able to communicate directly with specific

devices, switches must be able to uniquely identify devices based on their MAC

addresses, which means that they must operate on the data link layer of the

OSI model.

Switches store the layer 2 address of every connected device in a CAM

table, which acts as a kind of traffic cop. When a packet is transmitted, the

switch reads the layer 2 header information in the packet and, using the CAM

table as reference, determines to which port(s) to send the packet. Switches

send packets only to specific ports, thus greatly reducing network traffic.

Figure 1-7 illustrates traffic flow through a switch. In this figure, computer

A is sending data to only the intended recipient: computer B. Multiple

conversations can happen on the network at the same time, but information

is communicated directly between the switch and intended recipient, not

between the switch and all connected computers.