Вы находитесь на странице: 1из 32

Laura Chappell presents

TM

Analyzing and Troubleshooting Address Resolution Protocol (ARP)


A detailed look at ARP operations including gratuitous ARPs, ARP faults, proxy ARP and ARP storms.

Course Contents
Why ARP? Typical ARP functionality Reading ARP tables ARP packet structures Gratuitous ARPs Proxy ARP ARP scans ARP analysis exercise

Why ARP?
ftp CORPFS1
Destination MAC of server? Source MAC: A EtherType: 0x0800 Protocol: Source IP: Destination IP: Source Port: Destination Port: 6 (TCP) 10.1.0.1 10.2.99.99 1024 21 Eth

MAC address resolution

CORPFS1

MAC: Media Access Control

TCP

IP

Why ARP?
ftp CORPFS1

Router
MAC address resolution

Destination MAC of router? Source MAC: A EtherType: 0x0800 Protocol: Source IP: Destination IP: Source Port: Destination Port: 6 (TCP) 10.1.0.1 10.2.99.99 1024 21

TCP

IP

Eth

CORPFS1

Why ARP?
Step 1

ftp CORPFS1
Step 2

Translate ftp to port number 21

Get host IP address TX (Resolver Process)


Step 3

Local or remote destination?

Why ARP?
Step 1

ftp CORPFS1
Step 2

Translate ftp to port number 21

Get host IP address TX (Resolver Process)


Step 3

Local or remote destination?


Step L1

Get MAC address (ARP)

TX

CORPFS1

Why ARP?
Step 1

ftp CORPFS1
Step 2

Translate ftp to port number 21

Get host IP address TX (Resolver Process)


Step 3

Local or remote destination?


Step R1

Lookup route information Get MAC address TX (ARP)

Step R2

R CORPFS1

ARP Requests and Responses


1
ARP Request Broadcast Source hardware address: A Source network address: 10.1.0.1 Target hardware address: 0x000000000000 Target network address: 10.1.0.99

Client A Hardware: A Network: 10.1.0.1

Server 1 Hardware: D Network: 10.1.0.99

ARP Requests and Responses


2
ARP Reply Unicast Source hardware address: D Source network address: 10.1.0.99 Target hardware address: A Target network address: 10.1.0.1

Client A Hardware: A Network: 10.1.0.1

Server 1 Hardware: D Network: 10.1.0.99

ARP Frame Format


RFC 826
0 HARDWARE TYPE HARDWARE ADDRESS LENGTH PROTOCOL ADDRESS LENGTH SENDER HARDWARE ADDRESS SENDER HARDWARE ADDRESS (continued) SENDER PROTOCOL ADDRESS (continued) SENDER PROTOCOL ADDRESS TARGET HARDWARE ADDRESS DATA LINK HEADER 15 16 PROTOCOL TYPE OPERATION 31

TARGET HARDWARE ADDRESS (continued) TARGET PROTOCOL ADDRESS

ARP Request Packet Format

ARP Response Packet Format

Ref

arp trace file

Reading the ARP Tables


Microsoft(R) Windows DOS (C)Copyright Microsoft Corp 1990-1999. C:\>arp -a Interface: 10.234.12.108 on Interface 0x1000003 Internet Address Physical Address Type 10.234.12.1 00-01-96-3c-3f-54 dynamic 10.234.13.1 00-01-96-33-35-15 dynamic 10.234.16.1 00-01-96-bc-af-54 dynamic 10.234.24.1 00-01-96-ac-ff-24 dynamic 10.234.12.1 00-01-96-73-7f-1a dynamic 10.234.16.1 00-01-96-34-cf-b4 dynamic 10.234.112.1 00-01-96-36-3d-5c dynamic 10.234.90.1 00-01-96-38-ef-d4 dynamic

Adding Static Entries


Microsoft(R) Windows DOS (C)Copyright Microsoft Corp 1990-1999. C:\>arp s 10.44.22.1 00-00-1b-ac-44-a1 C:\>arp -a Interface: 10.234.12.108 on Interface 0x1000003 Internet Address Physical Address Type 10.234.12.1 00-01-96-3c-3f-54 dynamic 10.234.13.1 00-01-96-33-35-15 dynamic 10.34.2.1 00-aa-00-62-c6-09 static 10.44.2.1 00-00-1b-ac-44-a1 static

Gratuitous ARPs

Ref

g-arp trace file

Proxy ARP
1
ARP Request Broadcast Source hardware address: A Source network address: 10.1.0.1

Target hardware address: 0x000000000000 Target network address: 10.2.77.33

Client A IP Address: 10.1.0.1: Mask: 255.0.0.0 Hardware Address: A

Router

Server 1 IP Address: 10.2.77.33: Mask: 255.0.0.0 Hardware Address: D

Interface 1: IP Address: 10.1.0.33 Mask: 255.255.0.0 Hardware Address: B

Interface 2: IP Address: 10.2.0.33 Mask: 255.255.0.0 Hardware Address: C

Proxy ARP
2
ARP Reply Unicast Source hardware address: B Source network address: 10.2.77.33 Target hardware address: A Target network address: 10.1.0.1

Client A IP Address: 10.1.0.1: Mask: 255.0.0.0 Hardware Address: A

Router

Server 1 IP Address: 10.2.77.33: Mask: 255.0.0.0 Hardware Address: D

Interface 1: IP Address: 10.1.0.33 Mask: 255.255.0.0 Hardware Address: B

Interface 2: IP Address: 10.2.0.33 Mask: 255.255.0.0 Hardware Address: C

Proxy ARP Tables


Microsoft(R) Windows DOS (C)Copyright Microsoft Corp 1990-1999. C:\>arp -a Interface: 10.234.12.108 on Interface 0x1000003 Internet Address Physical Address Type 10.234.12.1 00-01-96-3c-3f-54 dynamic 10.193.13.1 00-01-96-3c-3f-54 dynamic 10.34.16.1 00-01-96-3c-3f-54 dynamic 10.23.24.1 00-01-96-3c-3f-54 dynamic 10.55.12.1 00-01-96-3c-3f-54 dynamic 10.31.16.1 00-01-96-3c-3f-54 dynamic 10.31.112.1 00-01-96-3c-3f-54 dynamic 10.31.90.1 00-01-96-3c-3f-54 dynamic

ARP Fault
ARP Request Broadcast Source hardware address: A Source network address: 10.1.22.4 Target hardware address: 0x000000000000 Target network address: 10.2.12.4

Router
Client A Network address: 10.1.22.4 Network mask: 255.0.0.0 Hardware address: A Server 1 Network address: 10.2.12.4 Network mask: 255.255.0.0 Hardware address: D

Cyber Crime: ARP Scans

ARP Analysis
Open the trace file arp-x.cap/pkt/dmp. Examine this ICMP echo request/reply process between two devices that sit on the same network. Based on the packets in this trace, what are the possible ARP table entries for: 10.234.10.77 10.234.12.108 What might cause this strange type of communication?

The session is paused. Click to start session again.

Packet #1

Packet 1 Implies

ICMP Echo

Client A Network address: 10.234.10.77 Network mask: 255.255.0.0 Hardware address: 0x00-20-78-e1-59-6e

Server Network address: 10.234.12.108 Network mask: 255.255.0.0 Hardware address: 0x00-00-00-00-00-00

Packet #2

Packet 2 Implies
Intermediary Device Network address: unknown Network mask: unknown Hardware address: 0x00-01-96-3c-3f-a8

ICM

o Ech P

Client A Network address: 10.234.10.77 Network mask: 255.255.0.0 Hardware address: 0x00-20-78-e1-59-6e

Server Network address: 10.234.12.108 Network mask: 255.255.0.0 Hardware address: 0x00-00-00-00-00-00

Packet #3

To Intermediary

Packet #4

From Intermediary

Were Seeing
Intermediary Device Network address: unknown Network mask: unknown Hardware address: 0x00-01-96-3c-3f-a8

?
IC MP Ec ICM ho PE ch oR ep

o Ech P y CM epl I R ho c PE ICM


Client A Network address: 10.234.10.77 Network mask: 255.255.0.0 Hardware address: 0x00-20-78-e1-59-6e

ly

Server Network address: 10.234.12.108 Network mask: 255.255.0.0 Hardware address: 0x00-d0-59-aa-af-80

ARP Tables
Intermediary Device
Internet Address Physical Address 10.234.10.77 0x00-20-78-e1-59-6e 10.234.12.108 0x00-01-96-3c-3f-a8

Client A

Server

Network address: 10.234.10.77


Internet Address Physical Address 10.234.12.108 0x00-01-96-3c-3f-a8

Network address: 10.234.12.108


Internet Address Physical Address 10.234.10.77 0x00-01-96-3c-3f-a8

What Could Cause This?


Intermediary Device Man-in-the-Middle (MiM) Attack Internet Address Physical Address 10.234.10.77 0x00-20-78-e1-59-6e Subnet Masks Too Long (255.255.255.0) 10.234.12.108 0x00-01-96-3c-3f-a8

Client A

Server

Network address: 10.234.10.77


Internet Address Physical Address 10.234.12.108 0x00-01-96-3c-3f-a8

Network address: 10.234.12.108


Internet Address Physical Address 10.234.10.77 0x00-01-96-3c-3f-a8

Conclusion
ARP is fundamental for communicating with local devices ARP structures are interesting with no IP header in the packets Proxy ARP allows devices to cross routers even though they believe they are talking to local devices Gratuitous ARP helps resolve duplicate IP address problems ARP scans may precede an attack ARP tables can be altered manually

Conclusion
This is Laura Chappell This has been Analyzing and Troubleshooting ARP (Address Resolution Protocol)