ARP

De Guifi.net - Wiki Català

Revisió de 03:39, 4 des 2013; Al (Discussió | contribucions)

(dif) ←Versió més antiga | Versió actual (dif) | Versió més nova→ (dif)
25px Aquesta wiki forma part dels materials d'un curs
Curs:
Fitxers: XarxesEthernetProtocolARP.pdf
Repositori SVN: https://svn.projectes.lafarga.cat/svn/iceupc/LinuxAdministracioAvan%c3%a7ada/moodle/sessio2/transparencies/
Usuari: anonymous
Paraula de pas: sense paraula de pas
Autors: Sergi Tur Badenas

ARP

Consulteu arp de l'article Xarxes Linux.

Comanda arp

Permet gestionar la cache ARP

Per consultar la cache:

$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1              ether   00:15:E9:CA:34:A5   C                     eth0
192.168.1.3              ether   00:18:F3:FB:FC:4A   C                     eth0
192.168.1.6              ether   00:0E:35:29:2A:48   C                     eth0

Eliminar entrades de la cache:

$ sudo arp -d 192.168.1.1
$ sudo arp -d 192.168.1.3
$ sudo arp -d 192.168.1.6

Consulteu la cache amb:

$ arp -n

I veurem que la hem buidat...

Si fem un ping a les m

$ ping 192.168.1.1
$ ping 192.168.1.3
$ ping 192.168.1.6

Afegir una entrada estàtica a la taula ARP

Es poden afegir entrades estàtiques amb:

$ sudo arp -s IP MAC

Per exemple:

$ sudo arp -s 87.111.152.1 00:14:1c:32:af:1a

Podeu consultar la entrada amb:

Abans:

$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
87.111.152.1             ether   00:14:1c:32:af:1a   CM                    eth0

Després:

$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
87.111.152.1             ether   00:14:1c:32:af:1a   CM                    eth0

Observeu que la M indica entrada estàtica.

La entrada es pot afegir de forma temporal amb:

$ sudo arp -s 87.111.152.1 00:14:1c:32:af:1a temp

Podeu eliminar la entrada amb:

$ sudo arp -d 87.111.152.1

Es pot automatitzar l'acció d'afegir el vostre gateway com a entrada estàtica amb:

$ arp -s $(route -n | awk '/^0.0.0.0/ {print $2}')  $(arp -n | grep `route -n | awk '/^0.0.0.0/ {print $2}'`| awk '{print $3}')

Es una bona forma d'intentar evitar els atacs de ARP Poisoning d'eines com dsniff o Ettercap.

Connectar a un dispositiu utilitzant la seva MAC

Independentment de que sapigueu o no la IP d'un dispositiu, si sabeu la seva MAC podeu connectar-vos-hi afegint una entrada estàtica a la taula ARP. Busqueu una IP lliure del vostre rang de xarxa i li "assigneu" al dispositiu amb MAC X (a l'exemple 00:14:1c:32:af:1a)

$ sudo arp -s 192.168.1.123 00:14:1c:32:af:1a

Ara ja podeu fer ping:

$ ping 192.168.1.123

En Windows seria:

ARP -s 10.1.2.3 08-00-09-12-34-56
ping 10.1.2.3

Capturar paquets arp amb tcpdump

Executem:

$ sudo tcpdump arp 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:54:40.061879 arp who-has 192.168.1.1 tell 192.168.1.2
09:54:40.062244 arp reply 192.168.1.1 is-at 00:15:e9:ca:34:a5
09:54:58.802487 arp who-has 192.168.1.3 tell 192.168.1.2
09:54:58.802576 arp reply 192.168.1.3 is-at 00:18:f3:fb:fc:4a
09:55:41.012054 arp who-has 192.168.1.6 tell 192.168.1.2
09:55:41.013671 arp reply 192.168.1.6 is-at 00:0e:35:29:2a:48

Comanda arpping

Consulteu arping de l'article Xarxes Linux.

Provocant arp-replys

Consulteu:

Xarxes_Linux#Provocar_arp-replys

Provocant arp-requests

Consulteu:

Xarxes_Linux#Provocar_arp-requests

RARP

Consulteu rarp de l'article Xarxes Linux.

Comanda ip (iproute2)

Es pot consultar la taula ARP amb:

$ sudo ip neigh show
87.111.152.1 dev eth0 lladdr 00:14:1c:32:af:1a REACHABLE
$ sudo arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
87.111.152.1             ether   00:14:1c:32:af:1a   C                     eth0 

Recursos:

$ sudo tcpdump -ennqti eth0 \( arp or icmp \)

Vegeu també:

Estats ARP

Taula:

Hi ha un timeout. El podeu observar amb:

$ sudo ip neighbor show 192.168.99.7
192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud reachable     
$ sudo ip neighbor show 192.168.99.7
192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud stale
$ sudo ip neighbor show 192.168.99.7
192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud delay        
$ sudo ip neighbor show 192.168.99.7
192.168.99.7 dev eth0 lladdr 00:80:c8e8:1e:fc nud probe         
$ sudo ip neighbor show 192.168.99.7
192.168.99.7 dev eth0  nud incomplete                       

Recursos:

Monitoritzar els canvis d'estat de la taula ARP

Vegeu:

Xarxes_Linux#ip_monitor

Problema ARP flux

Si una màquina té dues o més targetes connectades al mateix segment de xarxa, pot ocorrer el problema conegut com ARP Flux.

Consulteu:

ARP Proxy

This variable sets Proxy ARP on or off in kernel for specific devices. Proxy ARP is a system of automatically   
answering ARP queries for other hosts, that may for example be located on other network segments that we have 
contact with. This may be necessary under certain circumstances, where other routers do not know how to reach 
specific networks or hosts. The Linux firewall/router may then answer the ARP queries on behalf of the hosts that we 
want to Proxy ARP for.

Proxy ARP is turned on for the network segment that we want to answer ARP queries for. We will then answer all ARP 
queries for that specific network or host, hence receiving the packets destined for the specific host, and we can 
then send them onwards to the real host.

The proxy_arp variables takes a boolean value. Per default, it is turned off, and may be turned on (1) or off (2)  
at will. If you want more information about Proxy ARP,

ARP Flushing

Paràmetres sysctl

arp-filter

ARP-SPOOFING

Consulteu l'article ARP-SPOOFING.

Ettercap

Consulteu Ettercap.

Arp-tools

$ sudo apt-get install build-essential gawk libnet1-dev
$ wget http://www.packetfactory.net/libnet/dist/libnet.tar.gz
$ tar xvzf libnet.tar.gz 
$ cd libnet/
$ ./configure 
$ make
$ make install
$ sudo make install


Tenim les eines:

  • ARP Discover (arpdiscover), an Ethernet scanner based on ARP protocol;
  • ARP Flood (arpflood), an ARP request flooder;
  • ARP Poison (arppoison), for poisoning switches’ MAC address tables.

Un exemple:

$ sudo arpdiscover 192.168.12.1 25
using inteface eth0
our hw address is 00:30:05:EB:A3:8D
our ip address is 192.168.12.20
bpf filter is 'ether dst 00:30:05:EB:A3:8D && arp'
sniffer fork()ed into background with pid = 21448
request for hw address of ip address 192.168.12.1, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.2, 42 bytes to send, 42 bytes sent
received arp packet 60 bytes, hw address is 00:0D:88:CC:B4:67, ip address is 192.168.12.1
request for hw address of ip address 192.168.12.3, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.4, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.5, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.6, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.7, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.8, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.9, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.10, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.11, 42 bytes to send, 42 bytes sent
received arp packet 60 bytes, hw address is 00:30:05:EB:39:9D, ip address is 192.168.12.11
request for hw address of ip address 192.168.12.12, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.13, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.14, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.15, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.16, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.17, 42 bytes to send, 42 bytes sent
received arp packet 60 bytes, hw address is 00:30:05:EB:3B:52, ip address is 192.168.12.16
request for hw address of ip address 192.168.12.18, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.19, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.20, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.21, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.22, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.23, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.24, 42 bytes to send, 42 bytes sent
request for hw address of ip address 192.168.12.25, 42 bytes to send, 42 bytes sent
waiting for sniffer terminate
received arp packet 60 bytes, hw address is 00:19:06:FF:5B:C0, ip address is 192.168.12.2

Recursos:

arp-scan

$ sudo arp-scan --interface=eth1 --localnet
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1     00:15:e9:ca:34:a5       D-Link Corporation
192.168.1.2     00:30:1b:5e:09:a9       SHUTTLE, INC.
192.168.1.3     00:08:54:4b:70:98       Netronix, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.6: 256 hosts scanned in 1.532 seconds (167.10 hosts/sec).  3 responded


$ sudo  arp-scan --interface=eth1 192.168.0.0/16
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 65536 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1     00:15:e9:ca:34:a5       D-Link Corporation
192.168.1.2     00:30:1b:5e:09:a9       SHUTTLE, INC.
192.168.1.3     00:08:54:4b:70:98       Netronix, Inc.
$ sudo arp-scan --interface=eth0 --arpspa=0.0.0.0 0.0.0.0/3


arpscan

nemesis

$ sudo apt-get install nemesis
$ dpkg -L nemesis
/.
/usr
/usr/sbin
/usr/share
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/nemesis-dns.1.gz
/usr/share/man/man1/nemesis-icmp.1.gz
/usr/share/man/man1/nemesis-igmp.1.gz
/usr/share/man/man1/nemesis-ip.1.gz
/usr/share/man/man1/nemesis-ospf.1.gz
/usr/share/man/man1/nemesis-rip.1.gz
/usr/share/man/man1/nemesis-tcp.1.gz
/usr/share/man/man1/nemesis-udp.1.gz
/usr/share/man/man1/nemesis.1.gz
/usr/share/man/man1/nemesis-arp.1.gz
/usr/share/man/man1/nemesis-ethernet.1.gz
/usr/share/doc
/usr/share/doc/nemesis
/usr/share/doc/nemesis/README
/usr/share/doc/nemesis/copyright
/usr/share/doc/nemesis/changelog.gz
/usr/share/doc/nemesis/changelog.Debian.gz
/usr/bin
/usr/bin/nemesis
$ sudo nemesis arp help

ARP/RARP Packet Injection -=- The NEMESIS Project Version 1.4beta3 (Build 22) 
 
 ARP/RARP Usage:
   arp [-v (verbose)] [options]
 
 ARP/RARP Options: 
   -S <Source IP address>
   -D <Destination IP address>
   -h <Sender MAC address within ARP frame>
   -m <Target MAC address within ARP frame>
   -s <Solaris style ARP requests with target hardware addess set to broadcast>
   -r ({ARP,RARP} REPLY enable)
   -R (RARP enable)
   -P <Payload file> 
 
 Data Link Options: 
   -d <Ethernet device name>
   -H <Source MAC address>
   -M <Destination MAC address>

You must define a Source and Destination IP address.
$ sudo nemesis arp -v -d ne0 -H 0:1:2:3:4:5 -S 10.11.30.5 -D 10.10.15.1
$ sudo tcpdump -i eth0 -e arp and host 192.168.1.50 > pcap &
$ sudo nemesis arp -S 192.168.1.50 -D 192.168.1.1 -M 01:01:01:01:01:01 
$ sudo nemesis arp \
-S 192.168.1.50 \      # Your IP
-D 192.168.1.1 \       # Suspected Promiscuous IP
-M 01:01:01:01:01:01   # Non-existent MAC (on your network at least)
$ sudo cat pcap
00:50:2c:05:6b:a9 > 01:01:01:01:01:01, arp who-has 192.168.1.1 tell 192.168.1.50
00:0c:41:e9:2b:9d > 00:50:2c:05:6b:a9, arp reply 192.168.1.1 is-at 00:0c:41:e9:2b:9d
http://www.google.es/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fforo.elhacker.net%2Fredes%2Finyector_de_paquetes_nemesis-t33197.0.html&ei=oopVSJ7lJ4200QSOhryEAw&usg=AFQjCNG76zInh463E4qnJU5vRc_oUBFClA&sig2=8SZmqxdZC1nAILxr41nV-g

Recursos:

ARP a Windows

Consulteu:

http://acacha.org/mediawiki/index.php/Nanostation#Problemes_amb_la_cache_ARP_de_Windows_i_la_IP_192.168.1.1

sysctl

TODO:

$ cat /proc/sys/net/ipv4/conf/all/arp_accept 
0
$ cat /proc/sys/net/ipv4/conf/all/arp_announce 
0
$ cat /proc/sys/net/ipv4/conf/all/arp_filter 
0
$ cat /proc/sys/net/ipv4/conf/all/arp_ignore 
0
$ cat /proc/sys/net/ipv4/conf/all/arp_notify
0

Recursos

Eines de l'usuari