ARP Spoofing (ARP Poisoning):
- 概述:A Man in the Middle attack that allows attackers to intercept communication between network devices
- 原理:
- Attacker determine the IP addresses of at least two devices (let’s say a workstation and a router)
- Attacker uses a spoofing tool (such as Arpspoof or Driftnet) to send out forged ARP responses, which advertise that the MAC address for the workstation and the router is the attacker’s MAC address
- Then the router and workstation update their ARP cache entries, and future will communicate to the attacker’s machine, instead of to each other
- Detect an ARP Cache Poisoning Attack
C:\Users\0701> arp -a
Internet Address Physical Address
192.168.5.1 00-14-22-01-23-45
192.168.5.201 40-d4-48-cr-55-b8
192.168.5.202 00-14-22-01-23-45
如上述所示,若两个不同的IP地址有相同的MAC地址,就说明一个ARP attack发生了。
对于大型网络来说,要get到一些attack正在carry out的通信信息,可以使用Wireshark
- ARP Spoofing Prevention
- 使用VPN:makes all communication encrypted, and worthless for an ARP spoofing attacker
- 使用static ARP:define a static ARP entry for an IP address, and prevent devices from listening ARP responses for that address
- 使用packet filtering:identify poisoned ARP packets by seeing that they contain conflicting source information, and stop them before they reach devices on your network
- Run a spoofing attack:通过自己搞一个spoofing attack,来查看现有的defenses是否working