Friday, July 1, 2011

What is ARP? [Information]

 Since I've explained now how to get Backtrack 5, if you're still not on Linux then go install it now before all the fun stuff starts!
As for today's post I'll be explaining an important part about netsec: Address Resolution Protocol.

Understanding ARP, or Address Resolution Protocol, is a key part in understanding how networks communicate.

You can think of ARP as a phonebook for computers on a network.
Say the computer "Bob-PC" wants to send a message to "Meg-Laptop" but only has its local IP address. Computers require the "physical" address or MAC (Media Access Control) address to send messages, so Bob's computer needs to find out Meg's MAC. How would it do this?
Well, what Bob's computer does is checks its own "ARP cache" which is a list of computers it has stored with their IPs (such as 192.168.0.105) and MAC address (such as 00:1C:F2:D2:55), and if it finds the corresponding physical (MAC) address to the IP address it has for Meg's laptop, its all good to go!

But what if Bob's PC's ARP cache doesn't have Meg's laptop listed?
Well, ARP has this sorted out. It sends out a "broadcast ARP message" to the network saying "hey, who is 192.168.0.105 (Megs-Laptop)?" and receives a response from Meg's laptop saying "hey, that's me! My MAC address is 00:1C:F2:D2:55!"
Bob's PC then stores that information in its ARP cache for later use.

How hackers can use this to infiltrate systems is doing something called "ARP poisoning" and can be explained using this image from Wikipedia:
The malicious user, or hacker, listens in on the network and changes the ARP cache of the receiving "LAN user" to send messages to the malicious user FIRST, then back out to the corresponding target (in this case, the LAN Gateway.
This way, the hacker can view all the network traffic between the User and Gateway and change certain inquires, whether it be to an HTTPS (secure connection) site or any site in general.
We will be using this in the near future to sniff passwords from any site (HTTP and HTTPS) and show how dangerous an unwanted user on your network really is.

You can view your computer's ARP cache by typing "arp -a" into the command line on Windows or Linux and view the IP addresses and corresponding MAC addresses of each node your computer has saved.

Many users think that if they have a simple encryption on their network, it can't be broken. Some think that even if someone gains access into their network, it doesn't even matter! But this is FAR from the truth.
You will see how much damage a single user can cause on an unprotected network, whether it be through DNS spoofing (changing sites what certain IP addresses go to), password sniffing (Facebook, Google, Paypal, and Myspace passwords in clear text!), or DoS (denial of service) attacks.

This was a quick writeup and I'll be updating it frequently as I do with all my posts, but I wanted to get a quick post out to explain what ARP and ARP poisoning is, as it is vital in our path to learning network and computer security.