Flow Fire

Archive for October, 2011

In this paper we will cover the basics on Address Resolution Protocol (ARP), Media Access Control Addresses (MAC), Wireless (WiFi), and layer 2 communications. I hope to explain how a “Man in the Middle Attack” works. The common name for this is ARP poisoning, MAC poisoning, or Spoofing. Before we can get into how the poisoning works we need to learn about how the OSI model works and what happens at layer 2 of the OSI Model. To keep this basic we will only scratch the surface on the OSI model to get the idea of how protocols work and communicate with each other.

The OSI (open
Systems interconnection) model was developed by the International Standards
Organization (ISO) in 1984 in an attempt to provide some standard to the way
networking should work. It is a theoretical layered model in which the notion of
networking is divided into several layers, each of which defines specific functions and/or
features. However this model is only general guidelines for developing usable network
interfaces and protocols. Sometimes it may become very difficult to distinguish between
each layer as some vendors do not adhere to the model completely. Despite all this the
OSI model has earned the honor of being “the model” upon which all good network
protocols are based.

The OSI Model

The OSI Model is based upon 7 layers (Application layer, Presentation Layer, Session
Layer, Transport Layer, Network Layer, Data Link Layer and the Physical layer). For our
proposes we will review layer 2 (data link layer), Data Link layer defines the format of
data on the network. A network data frame, aka packet, includes checksum, source and
destination address, and data. The data link layer handles the physical and logical
connections to the packet’s destination, using a network interface. A host connected to an
Ethernet network would have an Ethernet interface (NIC) to handle connections to the
outside world, and a loop back interface to send packets to itself.

Ethernet addressing
uses a unique, 48-bit address called its Ethernet address or Media Access Control (MAC)
address. MAC addresses are usually represented as six colon-separated pairs of hex
digits, e.g., 8A:0B:20:11:AC:85. This number is unique and is associated with a
particular Ethernet device. The data link layer’s protocol-specific header specifies the
MAC address of the packet’s source and destination. When a packet is sent to all hosts
(broadcast), a special MAC address (ff:ff:ff:ff:ff:ff) is used. Now with this concept
covered we need to explain what APR is and how is corresponds to the MAC address.

The Address Resolution Protocol is used to dynamically discover the mapping between a
layer 3 (protocol) and a layer 2 (hardware) address. ARP is used to dynamically build and
maintain a mapping database between link local layer 2 addresses and layer 3 addresses.
In the common case this table is for mapping Ethernet to IP addresses. This database is
called the ARP Table. The ARP Table is the true source when it comes to routing traffic
on a Switch (layer 2 device).

ARP Table

Now that we have explored MAC addresses and APR Tables we need to talk about
poisoning. APR Poisoning; also referred to as ARP poison routing (APR), ARP cache
poisoning, & spoofing. A method of attacking an Ethernet LAN by updating the target
computer’s ARP cache/table with both a forged ARP request and reply packets in an
effort to change the Layer 2 Ethernet MAC address (i.e., the address of the network card)
to one that the attacker can monitor.

The Attack

Because the ARP replies have been forged, the target computer sends frames that were
meant for the original destination to the attacker’s computer first so the frames can be
read. A successful APR attempt is invisible to the user. Since the end user never sees the
ARP poisoning they will surf online like normal while the attacker is collecting data from
the session. The data collected can be passwords to e-mail, banking accounts, or
websites. This kind of attack is also known as “Man in the Middle Attack”. This kind of
attack basically works like this: attackers PC sends poisoned ARP request to the gateway
device (router), The gateway device now thinks the route to any PC on the subnet needs
to go though the attackers PC. All hosts on the subnet thinks the attackers IP/MAC is the
gateway and they send all traffic though that computer and the attacking PC forwards the
data to the gateway. So what you end up having is one PC (attacker) sees all traffic on the
network. If this attach is aimed at one user the Attack can just spoof the victims MAC to
his own and only affect
that MAC on the subnet. Keep in mind that the gateway (router)
is designed to have lager routing tables and many sessions connected to it at once. Most
PC’s can not handle too many routes and sessions so the attackers PC has to be a fast PC
(this depends on the volume of traffic on the subnet) to keep up with the flow of data. In
some cases a network can crash or freeze if the attacker’s PC is unable to route the data
effectively. The network Crashes because the number packets dropping due to the fact the
Attackers PC is unable to keep up with the flow of data.

Wardriving Anyone?

Now a lot of people think there safe because there home network is inside there house.
Well this is not true you first should always have a firewall on any internet connection.
An attacker can just as easy spoof the ISP’s devices (Cable modem or DLS router) to get
all your out bound data. If you are using wireless remember to setup encryption or you
have just invited Attackers into you home with no firewall to block them. I have drove in
many cities with my wireless card on seeing over 60% of all AP’s open with no security.
There is a sport called Wardriving witch involves driving in your car with a wireless
network card to find wireless networks. Most Wardrivers do not get onto the networks
they find but they do document them (normally with GPS). The idea behind Wardriving
is just to see how many AP’s you can find and this sport has caught on big in the US. It
would be very easy to get an IP on a Wireless network and then ARP Poison the subnet.

This can be done in less than 2 minutes on an open wireless access point. Once the
attacker is on your subnet they can start receiving all your data so if you buy anything
online the attacker now has you credit card info. There are ways to prevent this kind of
attack but most switches are vulnerable to this kind of attack. To prevent ARP Poisoning
you need a Switch that supports security features and most vendors’ equipment can
handle this but theses kinds of switch devices normally cost more money. Keep in mind
that there are many free tools on the internet that perform ARP Poisoning/Spoofing. It is
not hard to use the tools and with more and more home users going wireless the risk of an
attacker getting you data keeps rising. The best thing to do for protection is to understand
the basics of your network and if you want wireless make sure you have WEP enabled.

The Good Guys

So far we have covered how attackers use APR Poisoning to intercept user’s data but
there are also good reasons to ARP Poison a network. Most network engineers need to
sniff the protocols on a network to make sure the data is flowing correct. The problem
with sniffing on a switch network is that you can only see data bound to your interface
and broadcast traffic. On unmanageable switches there is no way to see all host traffic to
inspect it. With ARP Poisoning you can now divert all traffic to pass though the sniffers
interface and see all data on the network and analyze the traffic for possible issues.

Admins & Engineers maybe trouble shooting speed issues on a subnet and need to see all
the traffic. Once you spoof the subnet to sniff the traffic you will be able to see if viruses
or a bad NIC card is causing a broadcast storm on the subnet. With any tool there are
always good and bad uses and the thing to remember is be careful of what you do online
line because anyone could be monitoring you. If you have any question about poisoning
feel free to send me an e-mail at slimjim100@gmail.com.

Whether you use a Mac or Windows computer, you probably are interested in doing business online. Most people with a company need a professional website. Even the average citizen might need to make a personal web page to share photos with families and friends or publish a blog. Luckily, web page design software makes this easy to do. Here’s a few good choices for both Mac and Windows users.

It’s no secret that there are fewer programs that are compatible with Mac computers. When it comes to web page design software, there are several great choices to get you started.

For blog publishing, take a look at Infinite Sushi ecto 2.3.4. It is inexpensive, at only around $18, and can do all the work offline. This program works best in conjunction with a standard blogging site, such as Blogger or WordPress. If you want to host your own blog, this system isn’t easily compatible with that.

For Mac users that need a bit more of a full featured program, you can write websites in Realmac RapidWeaver 4.1.3. At around $80,

As an investment in the online presence of a business, website builder software is either universally beloved or bemoaned.

Some programs are so fickle that they require endless hours of tinkering just to get the site to be formatted at least somewhat like the webmaster hoped. In some the styles and features are so basic that while they are easy to set up, they have a sameness look about them. You most likely have seen examples of both kinds of sites – they over-populate the world wide web.

The release of a new versions of the best site-building software has however upset this status quo.
A review of these packages show that the better ones feature infinite customizability and demonstrate an ease of use that is a given.

The option to design your own template is most commonly cited by those who are comparing website building software, and find that a good set up allows for the integration of a variety of 2.0 features without the need for knowing any HTML whatsoever.

If you have not built a website before, you will probably be unaware of why a site building software’s template design feature is such hot news. But consider that this is a dramatic change in the way website building has been handled over the past few years, and there is no other feature contained within a website builder package that determines the look and feel of a site quite as much.

The developers of the new versions of site building software invite webmasters and online entrepreneurs to review their upgraded software packages; to encourage even more to see the features and benefits for themselves, the most reputable manufacturers are offering at least a 30 day trial period.

This has resulted in record numbers of webmasters, new and experienced, signing up for the new versions, and since skill levels are as different as the uses the newly built sites fulfill, the odds are good that the reviews from a variety sources need to be sought.

Ranking at the top of the positive press is the fact that the better software lets you design your own template; this is closely followed by greatly enhanced CSS and RSS features, WYSIWYG applicability, the versatility and interactivity of a forms wizard, and the overall number of wizards that make website creation headache free.

Some people like to try before they buy, to make sure software will do what it promises. With this package, so look out for those trial period offers.