ARP Poisoning Attack and Mitigation Techniques ARP欺骗 中间人攻击 Man-In-The-Middle (MITM) attack 嗅探 防范 Can one MAC address have two different IP addresses within the network?

小结：

1、

ARP缓存投毒，窃听中毒者之间的通信；

2、

ARP Poisoning Attack and Mitigation Techniques - Cisco
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html

 

Updated:January 22, 2016

Document ID:1476983603003952

ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques

A CSSTG SE Residency Program White Paper

Jeff King, CCIE 11873, CCSP, CISSP 80875

Kevin Lauerman, CCSP, CISSP 80877

Abstract

Security is at the forefront of most networks, and many companies implement a comprehensive security policy encompassing many of the OSI layers, from application layer all the way down to IP security. However, one area that is often left untouched is hardening Layer 2 and this can open the network to a variety of attacks and compromises.

This document will have a focus on understanding and preventing the ARP Poisoning (also known as the Man-In-The-Middle [MITM]) Layer 2 attack on the Cisco® Catalyst® 6500 switching series switch running Cisco IOS® Software. The Ettercap attack tool will be used to initiate Layer 2 attacks that you might encounter. Mitigation techniques to stop this attack are also covered.

A MacBook Pro and a Lenovo T61P (laptops) was used for these test and acted as the attacker in some cases and the victim in others. Both computers also ran VMware.

Note that the attacks performed in this white paper were done in a controlled lab environment. We do not recommend that you perform this attack on your enterprise network.

ARP (Address Resolution Protocol) Poisoning (MITM) Attack

A Man-In-The-Middle (MITM) attack is achieved when an attacker poisons the ARP cache of two devices with the (48-bit) MAC address of their Ethernet NIC (Network Interface Card). Once the ARP cache has been successfully poisoned, each of the victim devices send all their packets to the attacker when communicating to the other device. This puts the attacker in the middle of the communications path between the two victim devices; hence the name Man-In-The-Middle (MITM) attack. It allows an attacker to easily monitor all communication between victim devices.

The objective of this MITM attack is to take over a session. The intent is to intercept and view the information being passed between the two victim devices.

Three (3) scenarios were used for the MITM attack. They were as follows:

Scenario	Description
1	Static IP Address on Attacker machine
2	DHCP from 881 Router (DHCP Server) on Attacker machine
3	DHCP from Cisco Catalyst 6509E DHCP Server on Attacker machine

These (3) scenarios were chosen because they were all valid configurations that one might see in a customer's network; although scenario 2 and 3 are more likely in an enterprise network.

攻击步骤

Figure 1.      ARP Poisoning (MITM) Attack—Scenario 1

Steps for the MITM (ARP Poisoning) Attack:

1.     View initial ARP cache on the Victim PC (Windows XP)

2.     View initial ARP cache on the Attacker PC (Ubuntu 9.04)

3.     View initial MAC Address-Table on the Cisco Catalyst 6509E (Sup 720-3B)

4.     Start Ettercap attack application on the Attacker PC (Ubuntu 9.04)

5.     Configure Ettercap for “Unified Sniffing”

6.     Select Interface (eth2) to sniff on Ubuntu 9.04 Attacker PC

7.     Scan for host on wire

8.     List hosts discovered and select targets for attack

9.     Start sniffing

10.   Start the MITM (ARP Poisoning) attack

11.   Activate the “repoison_arp” plugin in Ettercap

12.   Activate the “remote_browser” plugin in Ettercap

13.   Open a Telnet session from the Victim to 10.1.0.1 (Int Vlan 7 on 6509E)

14.   View “connections” in Ettercap for “active” connections (telnet session)

15.   Select “active” session and then “view details”

16.   View login and password between Victims (Windows XP and 6509E)

17.   Perform “character injection” from Ettercap toward the 6509E (CLI)

18.   Perform “character injection” from Ettercap toward Windows XP (Victim)

19.   Open up web browser to from Windows XP Victim to CVDM on 6509E

20.   Spawn browser on Attacker PC to view Victim's web pages being viewed

21.   Scenario 2: DHCP from 881 Router (DHCP Server) on Attacker machine

22.   Scenario 3: DHCP from Cisco Catalyst 6509E DHCP Server on Attacker machine

23.   Mitigation of the MITM (ARP Poisoning) Attack

24.   Summary

Figure 59.    ARP Poisoning (MITM) Attack—Scenario 2

Figure 60.    ARP Poisoning (MITM) Attack—Scenario 3

 

 

https://en.wikipedia.org/wiki/ARP_spoofing