Broadcast and broadcast domain
Broadcast: The data frame with broadcast address as the destination address
Broadcast domain: The network can receive the same broadcast set of all nodes (that is, the broadcast range). The
smaller the
broadcast domain , the better. The switch cannot isolate the broadcast domain . Everyone in the switch is a broadcast domain. Being in a broadcast domain means that one person broadcasts and everyone else can receive it. The
router can isolate the broadcast domain. The
switch cannot control the broadcast. The router can control the broadcast

MAC address. The broadcast
broadcast address is FF-FF- FF-FF-FF-FF

IP address broadcast
1) 255.255.255.255
2) The broadcast IP address is the broadcast address of the IP address network segment, such as 192.168.1.255/24

1.1.2 Overview of ARP protocol

What is the ARP protocol? (Address Resolution Protocol) Function: resolve
a known IP address into a MAC address

The working scope of the ARP protocol is only the intranet, which belongs to the intranet protocol. Even the ARP attack is only an intranet attack.
Because its working principle is realized by broadcasting, it will be "finished" as long as it touches the router. (The router can control the broadcast and isolate the broadcast)

View the local ARP cache command: arp -a

1.1.3 Principles of ARP Protocol

1) Send ARP broadcast request
ARP message content: I am 10.1.1.1 My mac: AA, who is 10.1.1.3 Your mac:?
2) Receive ARP unicast response

1.1.4 ARP related commands

ARP command in Windows system:
arp -a: View the ARP cache table (the cache is learned this time when you turn it on, and it will disappear after shutdown )
arp -d: clear the ARP cache
arp -s: ARP binding

The ARP command in the Cisco system
View the ARP cache table: Router#show arp
Clear the ARP cache: Router#clear arp-cache
ARP binding: Router(config)#arp ip-address mac-address arpa

2. The principle and application of ARP attack and ARP spoofing

2.1 Principles of ARP spoofing and attack

Attack or deceive by sending fake ARP messages (broadcast or unicast)!
For example, the MAC of the fake message is forged and does not exist, and the ARP attack is realized, and the result is interrupted communication/disconnection!
For example, the mac of the fake message is the attacker's own mac address, and ARP spoofing is realized. As a result, the traffic can be monitored, stolen, tampered, and controlled, but communication is not interrupted!

When you find that the target IP is not in the same network segment as you, you will still get an ARP broadcast message, but what you ask in the broadcast message is not the MAC address of that network segment of the external network, and the
question is "I am 10.1.1.1 I Although I want to visit Baidu, the ARP broadcast request asks "I am 10.1.1.1 and my MAC is AA, who is the gateway (10.1.1.254)? Please tell me your MAC address. "" The
gateway said: My name is 10.1.1.254, and my MAC address is BB.
After I learn, I will write BB on the header of the data I sent to Baidu and send it to the switch, and the switch will send the frame to the gateway.

Scenario description:
Assume that our room is in the 10.1.1.0 network segment, "Xiaotian" is 10.1.1.3 and I am 10.1.1.1, and the gateway of this house is 10.1.1.254. Everyone pointed to the gateway to be able to access the Internet.
I said: "Who is 10.1.1.3, please tell me your mac address". Originally only "Xiaotian" could receive it. At this time, "Xiaozheng" received this broadcast, a little unkindly, so he found a tool and forged one. The fake ARP reply "says that I am 10.1.1.3 and my MAC is EE (fabricated out of thin air)". In the ARP protocol cache, whoever comes later will get the last, and whoever comes later, I will learn from others . For example, "Xiao Zheng" came to me first, I thought 10.1.1.3 was EE, "Xiao Tian" only posted once, and "Xiao Zheng" can be fabricated all the time. With such an attack by "Xiao Zheng," I couldn't receive news from "Xiao Tian" for a day. At this time "Xiaotian" also wanted to send me a message, asking "Who is 10.1.1.1, please tell me your mac address", I gave him a response "I am 10.1.1.1, my mac address is AA" , "Xiao Zheng" then replied again and said "I am 10.1.1.1, my mac address is EE", at this time "Xiao Tian" thought "Xiao Zheng" was me. [This is called ARP attack]

The purpose of the attack: to interrupt the communication between me and "Xiao Tian"

Difficulties of ARP protocol:
I was on the same network segment with "Xiaotian" just now, which means that when "Xiaotian" told me "I am 10.1.1.3" at the beginning (the first thing a PC does when communicating with the outside world) Is the target IP and myself in the same network segment ), because I and "Xiaotian" are on the same LAN.
At this time, I want to visit Baidu. The Baidu address is assumed to be 200.1.1.1. The first judgment my computer makes is whether the target IP is in the same network segment as myself? Not here. I go to the gateway. Next, is my first task to send the data to the gateway or directly to Baidu? To the gateway.
At this time, when broadcasting, ask "Who is 200.1.1.1, please tell me your mac address" ( not to ask, because Baidu is not on the same network segment as you, your broadcast cannot go out, and your broadcast even has a gateway. Ca n’t get out ). At this time, I want to access 200.1.1.1 but it is on the external network. Now I just need to give my address to the gateway (although your layer 3 header says you want to access 200.1.1.1, but this frame is given to the switch, Whether you switch the IP address, the frame to make the switch to the gateway,)
when you determine your goals and your own IP address in the same segment, you will be sent directly ARP broadcast packets, to ask for its mac address
if When you judge that the target IP and yourself are not in the same network segment, you will still send an ARP broadcast message, but what is asked in the broadcast message is not the MAC address of the external network segment, and the question is "I am 10.1.1.1, Although I want to visit Baidu, my arp broadcast message asks: "I am 10.1.1.1 and my mac is AA, who is the gateway 10.1.1.254, please tell me your mac address", at this time Only the gateway will respond, the gateway says: "I am 10.1.1.254, my mac is BB"

At this time, I will write BB in the header of the frame I sent to Baidu and send it to the switch, and then the switch will send the frame to the gateway.

At this time, I asked who the gateway was. "Xiao Zheng" came to make trouble again, saying, "I am the gateway, and my mac is EE". At this time, the gateway is EE in my mind, and now he wants to disconnect me.
So the ARP attack is to terminate the communication, and the more severe it is to disconnect the network (technique: fake arp message, and fake mac address, non-existent mac address to deceive you)

In fact, it can attack not only through arp response messages, but also through arp broadcast messages .
"Xiao Zheng" sent a broadcast message saying "Who is 10.1.1.10? Please tell me your mac address, I am 10.1.1.254, my mac address is EE" (he is neither 10.1.1.254, mac also Not EE). At this time, he said he was looking for 10.1.1.10 and it didn’t matter to me, but he said he was 10.1.1.254, so I wrote it down to the cache. At this time, I’m going to go online and I’m going to find the gateway. This When the cache told me that the gateway was EE, it was attacked in an instant

This is called ARP attack just now: It is to disconnect you from the network by sending false broadcasts or reply messages. Let's take a look at ARP spoofing :

Background: I am 10.1.1.1, mac is AA; Xiaotian is 10.1.1.3, mac is CC; Xiao Zheng is 10.1.1.4, mac is DD; gateway is 10.1.1.254, mac is BB

Situation:
I said: "Who is 10.1.1.3, please tell me your mac address", Xiaotian said "I am 10.1.1.3, my mac is CC". Xiao Zheng came to mess up and said "I am 10.1.1.3, my mac is DD [this mac is Xiao Zheng's real mac]", then my cache will think "Xiaotian's ip is 10.1.1.3, MAC It's DD". At this time, all the messages I sent to Xiaotian were given to Xiaozhen. Xiaozheng read it and sent it to Xiaotian intact. My message was also sent to Xiaotian, just after Xiaozhen’s hand. , Xiao Zheng became the "middleman", the purpose of ARP spoofing is not to disconnect the network, the purpose is to intercept, steal, tamper with, and control your data

Next, if I want to access the Internet, I was chatting with the gateway. Xiao Zheng came to mess up and said "I am 10.1.1.254, my mac is DD". At this time, the data between me and the gateway also goes through "Xiao Zheng ", he can fully control my Internet data, steal your password, etc.

ARP can be attacked or deceived. The reason for the successful attack is that the ARP protocol does not have a verification mechanism (the authenticity cannot be verified) [As long as you receive an ARP message, whether it is a response or a request, I will learn, and the result of the learning may be true It may also be fake, and if it is fake, it will be deceived or attacked. Learned fake, fake things out of your cache]

The ARP attacker poisons the victim's ARP cache by sending fake and forged arp messages (in other words, everything learned in your cache is fake)

Two, routing principle (two)

Only the interface that can be configured with IP has a MAC address and the interface that
cannot accompany IP does not have a MAC address.
Only the switch has a mac address table.

Describe the complete process of communication

How the router works (★)

1) After a frame arrives at the router, the router first checks whether the destination MAC address of the frame header is itself, if it is not, discard it, if it is, decapsulate it, and send the IP packet (layers 3, 4, 5) to the inside of the router

2) The router checks the target IP in the IP packet header and matches the routing table. If the match fails, it discards it and returns error information to the source IP. If the match succeeds, it routes the IP packet to the outgoing interface.

3) Encapsulate the frame, first encapsulate the MAC address of the outgoing interface as the source MAC, then check the ARP cache table to check whether there is a MAC address of the next hop IP, if so, it will be extracted and encapsulated as the target MAC address into the frame. If not, send an ARP broadcast to request the MAC of the next hop, and obtain the mac address of the other party, record the buffer, and encapsulate the frame, and finally send the frame.

3. ARP experiment demonstration

Experimental environment: virtual machine: winxp-1 (victim No. 1), win2003-1 (little bad guy), win2003-2 (victim No. 2) [all bridged to VMnet2]

tip: Win2003 always automatically locks the screen after a period of time. Remove: Right-click on a blank space on the desktop---screen saver---change it to "None"

Victim No. 1 mac: 00-0C-29-7F-53-E 6
Little badass mac: 00-0C-29-F6-26- 4 C
Victim No. 2: 00-0C-29-79-47-F 5

The cache table will be deleted by itself in a while

ARP attack experiment:

Little bad guys use tool: Network Marshal v3.56 (this software is for network management)

Open the software: Introduction:

It is said that scanning is actually pinging one by one, it will automatically send arp, and also know the mac address

The purpose of the experiment: Let Victim No. 1 and Victim No. 2 terminate communication

Right click on the IP address of victim No. 1-manual management

When the "Prohibit TCP/IP connection with all hosts" is checked, go to the victim's computer to ping 10.1.1.3 and
find that the mac address of 10.1.1.3 has become the fabricated mac address

ARP spoofing experiment:

Find another software cain.exe

Click on the icon of the network card logo, there is a "sniffer" below it, which means to capture packets, click sniff (now I don’t know who the company has, scan it out first),
click the right mouse button---Scan MAC Addresses

Now the information of Victim No. 1 and Victim No. 2 does not pass by the little villain, so ARP deception is required

Now the victim No. 1 thinks the little villain is the victim No. 2 and the victim No. 2 thinks the little villain is the victim No. 1.

Now, victims 1 and 2 can communicate directly, but they don’t feel that there is an intermediary. This is being deceived.

View cache table

00-0C-29-F6-26- 4 C is the mac of the little bad guy

If the victim's No. 1 and No. 2 chat records have passwords, it is extremely insecure (telnet is a plaintext password). At
this time, the victim No. 2 turns on the telnet on his computer.
Now the victim No. 1 remotely controls the victim No. 2
villain to turn on sniff packet capture (cain.exe comes with packet capture software)

If you can use ssh in the company, use ssh

If FTP does not allow anonymous access

Four, ARP attack defense

When doing experiments, you must do it in a virtual machine, not in a real environment

1. Static ARP binding

Manually write the gateway's ip and the gateway's real mac address into my computer. A static ARP cache is formed in the arp cache table of my computer.
Under normal circumstances, I no longer learn dynamic (static first) The level is higher than the dynamic level, I will not ask the gateway in the future)
I have bound the gateway on my computer. If I want to completely prevent the bad guys from attacking the traffic between me and the gateway, I must write my real name on the router. mac

Static binding is actually manual binding/two-way binding, and the cache cannot be saved (make a batch)

On the windows client:
arp -s 10.1.1.254 00-01-2c-a0-e1-09 (-s means static static binding)
arp -a View the ARP cache table
Static binding on the router:
Router(config)#arp 10.0 .0.95 0013.240a.b219 arpa f0/0
Advantages: simple configuration
Disadvantages: heavy workload and maintenance

2. ARP firewall

Automatically bind static ARP
active defense
Advantages: Simple and easy to use
Disadvantages: When a large number of people are enabled, it will increase the burden on the network

Generally not allowed in large companies

3. Hardware-level ARP defense (the ultimate method)

The switch supports dynamic ARP binding on the "port" (dynamic binding must cooperate with the DHCP server)
or static ARP binding

Such as:
conf t
ip dhcp snooping (tell the switch to enable the DHCP snooping function) [provided that this switch supports it]
int range f0/1-48 (enter a group of interfaces)
switch(config-if-range)#

[CyberSecurityLearning 14] ARP protocol analysis and attack protection + routing principle (2)

1. Analyze ARP attacks and spoofing

1.1 ARP protocol

1.1.1 Overview of Broadcast and Broadcast Domain