Curs: | DissenyXarxesLinux, LinuxAdministracioAvancada, LPIC1_102 |
Fitxers: | XarxesEthernetProtocolARP.pdf |
Repositori SVN: | https://svn.projectes.lafarga.cat/svn/iceupc/LinuxAdministracioAvan%c3%a7ada/moodle/sessio2/transparencies/ |
Usuari: | anonymous |
Paraula de pas: | sense paraula de pas |
Autors: | Sergi Tur Badenas |
IMPORTANT: Les xarxes IPv6 no utilitzen ARP. Consulteu (Network Discovery o ND)
El protocol ARP (Address Resolution Protocol) s'encarrega de traduir adreces IP a adreçes MAc al nivell d'enllaç en les xarxes LAN. ARP és un protocol que funciona que utilitza missatges de difusió a tota la xarxa per descobrir quin node de la xarxa té la IP demanada i aconseguir la seva MAC. Un cop aconsegueix la MAC, l'emmagatzema a la taula ARP.
Podem consultar aquesta taula amb la comanda:
$ arp Address HWtype HWaddress Flags Mask Iface 192.168.1.36 ether 00:0C:29:D3:47:00 C eth0 192.168.1.34 ether 00:0E:35:29:2A:48 C eth0 192.168.1.1 ether 00:30:DA:89:FC:8A C eth0
Per afegir una entrada a la taula ARP:
$ sudo arp -s 192.168.1.35 00:50:04:62:F7:23
Ho podem comprovar amb:
$ arp Address HWtype HWaddress Flags Mask Iface 192.168.1.34 ether 00:0E:35:29:2A:48 C eth0 192.168.1.36 ether 00:0C:29:D3:47:00 C eth0 192.168.1.1 ether 00:30:DA:89:FC:8A C eth0 192.168.1.35 ether 00:50:04:62:F7:23 CM eth0
Podeu obtenir totes les MACs de la xarxa i omplir la taula ARP amb la comanda nmap. Suposem la xarxa de tipus C 192.168.1.0, executem:
$ sudo nmap 192.168.1.1-255
Un cop finalitzi la comanda tornem a consultar la taula ARP
$ arp
NOTA: Com veieu, aquesta comanda, conjuntament amb la comanda nmap, pot ser molt útil per tal d'aconseguir totes les MACs dels PCs d'una xarxa.
Si consultem la taula arp d'una màquina (IP:192.168.0.7) dins d'una xarxa local de clase C 192.168.0.0:
$ arp Address HWtype HWaddress Flags Mask Iface 192.168.0.5 ether 00:30:05:4C:90:1C C eth0 192.168.0.1 ether 00:13:49:87:40:66 C eth0
I executem:
$ ping 192.168.0.10 PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data. 64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=10.7 ms 64 bytes from 192.168.0.10: icmp_seq=2 ttl=64 time=0.289 ms 64 bytes from 192.168.0.10: icmp_seq=3 ttl=64 time=0.291 ms 64 bytes from 192.168.0.10: icmp_seq=4 ttl=64 time=0.302 ms .............
Si us fixeu, el primer paquet ping tarda força més en respondre (10.7ms) que és unes 37 vegades més que el que tarden els següents paquets.... Recordeu que estem fent un ping a una màquina de la mateixa xarxa. Si consultem ara la taula arp:
$ arp Address HWtype HWaddress Flags Mask Iface 192.168.0.5 ether 00:30:05:4C:90:1C C eth0 192.168.0.1 ether 00:13:49:87:40:66 C eth0 192.168.0.10 ether 00:48:54:8D:58:47 C eth0
Veiem que hi ha una nova entrada a la taula d'ARP. El primer paquet tarda més temps perquè ha de traduir l'adreça IP que li proporcionem (192.168.1.10) per la corresponent adreça MAC (00:48:54:8D:58:47). Per fer aquesta traducció s'executa el protocol ARP un cop, i una vegada resolta la MAC s'emmagatzema a la taula local ARP. Un cop emmagatzemada ja no cal fer més la traducció IP-->MAC i per això la resta de paquets o següents pings ja no tardaran tant:
$ ping 192.168.0.10 PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data. 64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=0.234 ms 64 bytes from 192.168.0.10: icmp_seq=2 ttl=64 time=0.291 ms 64 bytes from 192.168.0.10: icmp_seq=3 ttl=64 time=0.258 ms ..........................
Permet gestionar la cache ARP
Per consultar la cache:
$ arp -n Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:15:E9:CA:34:A5 C eth0 192.168.1.3 ether 00:18:F3:FB:FC:4A C eth0 192.168.1.6 ether 00:0E:35:29:2A:48 C eth0
Eliminar entrades de la cache:
$ sudo arp -d 192.168.1.1 $ sudo arp -d 192.168.1.3 $ sudo arp -d 192.168.1.6
Consulteu la cache amb:
$ arp -n
I veurem que la hem buidat...
Si fem un ping:
$ ping 192.168.1.1 $ ping 192.168.1.3 $ ping 192.168.1.6
Es poden afegir entrades estàtiques amb:
$ sudo arp -s IP MAC
Per exemple:
$ sudo arp -s 87.111.152.1 00:14:1c:32:af:1a
Podeu consultar la entrada amb:
Abans:
$ arp -n Address HWtype HWaddress Flags Mask Iface 87.111.152.1 ether 00:14:1c:32:af:1a CM eth0
Després:
$ arp -n Address HWtype HWaddress Flags Mask Iface 87.111.152.1 ether 00:14:1c:32:af:1a CM eth0
Observeu que la M indica entrada estàtica.
La entrada es pot afegir de forma temporal amb:
$ sudo arp -s 87.111.152.1 00:14:1c:32:af:1a temp
Podeu eliminar la entrada amb:
$ sudo arp -d 87.111.152.1
Es pot automatitzar l'acció d'afegir el vostre gateway com a entrada estàtica amb:
$ arp -s $(route -n | awk '/^0.0.0.0/ {print $2}') $(arp -n | grep `route -n | awk '/^0.0.0.0/ {print $2}'`| awk '{print $3}')
Es una bona forma d'intentar evitar els atacs de ARP Poisoning d'eines com dsniff o Ettercap.
Podeu eliminar la entrada amb:
$ sudo arp -d 87.111.152.1
NOTA: No tinc clar que funcioni i sigui cert. Nosatlres si tindrem la IP que toca i podre fer li arribar paquets però si la màquina remota no té taula ARP ni configuració dexarxa: com ens tornarà el paquet?
Independentment de que sapigueu o no la IP d'un dispositiu, si sabeu la seva MAC podeu connectar-vos-hi afegint una entrada estàtica a la taula ARP. Busqueu una IP lliure del vostre rang de xarxa i li "assigneu" al dispositiu amb MAC X (a l'exemple 00:14:1c:32:af:1a)
$ sudo arp -s 192.168.1.123 00:14:1c:32:af:1a
Ara ja podeu fer ping:
$ ping 192.168.1.123
En Windows seria:
ARP -s 10.1.2.3 08-00-09-12-34-56 ping 10.1.2.3
Executem:
$ sudo tcpdump arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 09:54:40.061879 arp who-has 192.168.1.1 tell 192.168.1.2 09:54:40.062244 arp reply 192.168.1.1 is-at 00:15:e9:ca:34:a5 09:54:58.802487 arp who-has 192.168.1.3 tell 192.168.1.2 09:54:58.802576 arp reply 192.168.1.3 is-at 00:18:f3:fb:fc:4a 09:55:41.012054 arp who-has 192.168.1.6 tell 192.168.1.2 09:55:41.013671 arp reply 192.168.1.6 is-at 00:0e:35:29:2a:48
Consulteu arping de l'article Xarxes Linux.
Consulteu:
Xarxes_Linux#Provocar_arp-replys
Consulteu:
Xarxes_Linux#Provocar_arp-requests
Consulteu rarp de l'article Xarxes Linux.
La suite iproute2 us proporciona l'ordre ip que té l'opció ip neigh per gestionar la taula ARP (ARP cache o l'anomenada ip neighbour table)
Consulteu Ordre_ip#ip_neigh.
Es pot consultar la taula ARP amb:
$ sudo ip neigh show 87.111.152.1 dev eth0 lladdr 00:14:1c:32:af:1a REACHABLE
$ sudo arp -n Address HWtype HWaddress Flags Mask Iface 87.111.152.1 ether 00:14:1c:32:af:1a C eth0
Recursos:
$ sudo tcpdump -ennqti eth0 \( arp or icmp \)
Es pot esborrar tota la cache arp amb:
$ sudo ip -s -s neigh flush all
Vegeu també:
Taula:
Hi ha un timeout. El podeu observar amb:
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud reachable
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud stale
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud delay
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8e8:1e:fc nud probe
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 nud incomplete
Recursos:
Vegeu:
Xarxes_Linux#ip_monitor
Si una màquina té dues o més targetes connectades al mateix segment de xarxa, pot ocorrer el problema conegut com ARP Flux.
Consulteu:
This variable sets Proxy ARP on or off in kernel for specific devices. Proxy ARP is a system of automatically answering ARP queries for other hosts, that may for example be located on other network segments that we have contact with. This may be necessary under certain circumstances, where other routers do not know how to reach specific networks or hosts. The Linux firewall/router may then answer the ARP queries on behalf of the hosts that we want to Proxy ARP for.
Proxy ARP is turned on for the network segment that we want to answer ARP queries for. We will then answer all ARP queries for that specific network or host, hence receiving the packets destined for the specific host, and we can then send them onwards to the real host.
The proxy_arp variables takes a boolean value. Per default, it is turned off, and may be turned on (1) or off (2) at will. If you want more information about Proxy ARP,
Per tal que els clients remots que és connecten a un servidor PPTP a través d'una VPN puguin connectar amb tota la resta de dispositius de la LAN es necessari que al port LAN del router que fa de servidor PPTP estigui activat arp-proxy.
Jo ho he provat amb un client PPTP Windows connectat a un PPTP Server a una microtik RB750G i només a calgut activar arp-proxy al port ethernet on estan connectada la LAN.
NOTA: Si no activeu arp proxy podreu fer pings del ordinador remot al servidor PPTP però no podreu fer pings de la resta de dispositius de la xarxa cap al dispositiu remot
Vegeu també:
Podeu utilitzar l'ordre:
$ sudo ip neigh flush dev eth1
Per fer un flush (un reset) de la cache arp.
Paràmetres sysctl
TODO
arp-filter
TODO
Consulteu l'article ARP-SPOOFING i eines com Ettercap o Dsniff. Vegeu també l'article Eines de hacking
Consulteu Ettercap.
$ sudo apt-get install build-essential gawk libnet1-dev $ wget http://www.packetfactory.net/libnet/dist/libnet.tar.gz $ tar xvzf libnet.tar.gz $ cd libnet/ $ ./configure $ make $ make install $ sudo make install
Tenim les eines:
Un exemple:
$ sudo arpdiscover 192.168.12.1 25 using inteface eth0 our hw address is 00:30:05:EB:A3:8D our ip address is 192.168.12.20 bpf filter is 'ether dst 00:30:05:EB:A3:8D && arp' sniffer fork()ed into background with pid = 21448 request for hw address of ip address 192.168.12.1, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.2, 42 bytes to send, 42 bytes sent received arp packet 60 bytes, hw address is 00:0D:88:CC:B4:67, ip address is 192.168.12.1 request for hw address of ip address 192.168.12.3, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.4, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.5, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.6, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.7, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.8, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.9, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.10, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.11, 42 bytes to send, 42 bytes sent received arp packet 60 bytes, hw address is 00:30:05:EB:39:9D, ip address is 192.168.12.11 request for hw address of ip address 192.168.12.12, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.13, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.14, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.15, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.16, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.17, 42 bytes to send, 42 bytes sent received arp packet 60 bytes, hw address is 00:30:05:EB:3B:52, ip address is 192.168.12.16 request for hw address of ip address 192.168.12.18, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.19, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.20, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.21, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.22, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.23, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.24, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.25, 42 bytes to send, 42 bytes sent waiting for sniffer terminate received arp packet 60 bytes, hw address is 00:19:06:FF:5B:C0, ip address is 192.168.12.2
Recursos:
$ sudo arp-scan --interface=eth1 --localnet Interface: eth1, datalink type: EN10MB (Ethernet) Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 00:15:e9:ca:34:a5 D-Link Corporation 192.168.1.2 00:30:1b:5e:09:a9 SHUTTLE, INC. 192.168.1.3 00:08:54:4b:70:98 Netronix, Inc. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.6: 256 hosts scanned in 1.532 seconds (167.10 hosts/sec). 3 responded
$ sudo arp-scan --interface=eth1 192.168.0.0/16 Interface: eth1, datalink type: EN10MB (Ethernet) Starting arp-scan 1.6 with 65536 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 00:15:e9:ca:34:a5 D-Link Corporation 192.168.1.2 00:30:1b:5e:09:a9 SHUTTLE, INC. 192.168.1.3 00:08:54:4b:70:98 Netronix, Inc.
$ sudo arp-scan --interface=eth0 --arpspa=0.0.0.0 0.0.0.0/3
Instal·lació
$ sudo apt-get install nemesis
Fitxers instal·lats:
$ dpkg -L nemesis /. /usr /usr/sbin /usr/share /usr/share/man /usr/share/man/man1 /usr/share/man/man1/nemesis-dns.1.gz /usr/share/man/man1/nemesis-icmp.1.gz /usr/share/man/man1/nemesis-igmp.1.gz /usr/share/man/man1/nemesis-ip.1.gz /usr/share/man/man1/nemesis-ospf.1.gz /usr/share/man/man1/nemesis-rip.1.gz /usr/share/man/man1/nemesis-tcp.1.gz /usr/share/man/man1/nemesis-udp.1.gz /usr/share/man/man1/nemesis.1.gz /usr/share/man/man1/nemesis-arp.1.gz /usr/share/man/man1/nemesis-ethernet.1.gz /usr/share/doc /usr/share/doc/nemesis /usr/share/doc/nemesis/README /usr/share/doc/nemesis/copyright /usr/share/doc/nemesis/changelog.gz /usr/share/doc/nemesis/changelog.Debian.gz /usr/bin /usr/bin/nemesis
$ sudo nemesis arp help ARP/RARP Packet Injection -=- The NEMESIS Project Version 1.4beta3 (Build 22) ARP/RARP Usage: arp [-v (verbose)] [options] ARP/RARP Options: -S <Source IP address> -D <Destination IP address> -h <Sender MAC address within ARP frame> -m <Target MAC address within ARP frame> -s <Solaris style ARP requests with target hardware addess set to broadcast> -r ({ARP,RARP} REPLY enable) -R (RARP enable) -P <Payload file> Data Link Options: -d <Ethernet device name> -H <Source MAC address> -M <Destination MAC address> You must define a Source and Destination IP address.
$ sudo nemesis arp -v -d ne0 -H 0:1:2:3:4:5 -S 10.11.30.5 -D 10.10.15.1
$ sudo tcpdump -i eth0 -e arp and host 192.168.1.50 > pcap &
$ sudo nemesis arp -S 192.168.1.50 -D 192.168.1.1 -M 01:01:01:01:01:01
$ sudo nemesis arp \ -S 192.168.1.50 \ # Your IP -D 192.168.1.1 \ # Suspected Promiscuous IP -M 01:01:01:01:01:01 # Non-existent MAC (on your network at least)
$ sudo cat pcap 00:50:2c:05:6b:a9 > 01:01:01:01:01:01, arp who-has 192.168.1.1 tell 192.168.1.50 00:0c:41:e9:2b:9d > 00:50:2c:05:6b:a9, arp reply 192.168.1.1 is-at 00:0c:41:e9:2b:9d http://www.google.es/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fforo.elhacker.net%2Fredes%2Finyector_de_paquetes_nemesis-t33197.0.html&ei=oopVSJ7lJ4200QSOhryEAw&usg=AFQjCNG76zInh463E4qnJU5vRc_oUBFClA&sig2=8SZmqxdZC1nAILxr41nV-g
Recursos:
$ cat /proc/sys/net/ipv4/conf/all/arp_accept 0 $ cat /proc/sys/net/ipv4/conf/all/arp_announce 0 $ cat /proc/sys/net/ipv4/conf/all/arp_filter 0 $ cat /proc/sys/net/ipv4/conf/all/arp_ignore 0 $ cat /proc/sys/net/ipv4/conf/all/arp_notify 0
Consulteu l'ordre sysctl.
TODO
Consulteu:
Nanostation#Problemes_amb_la_cache_ARP_de_Windows_i_la_IP_192.168.1.1