Archive for August, 2008

Endianness

Posted August 19, 2008 at 3:56 pm in Programming | No Comments

Endianness is the attribute of a system that indicates whether integers are represented from left to right or right to left, just like human languages. This may sound odd but if you’ve ever tried to read a book in English and another book in Japanese, you’ll notice that one flows from left to right and another from right to left. If you tried to read the book in Japanese from left to right, you would spend a lot of time attempting to decipher what that book was about.

There are two types of endianness, big and little. Big endian representation is in the left to right fashion and has the left most byte set as the most significant byte (MSB) in a multibyte integer. A simple example is the real number 200. The 2 on the left side indicates that this number is much larger than the number 100. We often learn the binary number system in big endian representation. Little endian representation is in the right to left fashion and has the right most byte set as the most significant byte in a multibyte integer.

Big endian most significant byte of any multibyte data field is stored at the lowest memory address. Little endian means that the least significant byte of any multibyte data field is stored at the lowest memory address.

An easy way to remember these is to think about input to a device. A big endian implementation would require the “big end” (MSB) first while a little endian implementation would require the “little end” first.

Endianness is important to processors as they attempt to read binary data from memory. Intel’s 80×86 is a common little endian processor. Sun’s Java Virtual Machine uses a big endian representation. Endianness is also important to network stacks and the communication field in general. Communicating devices must use the same endian implementation or they will not be able to communicate.

All of the protocols in the TCP/IP suite are big endian and as such, big endian is also known as Network Byte Order which requires the MSB first. Specifically, sin_port and sin_addr members of the sockaddr_in structure must use the big endian implementation when creating network sockets.

ARP Cache Poisoning

Posted August 18, 2008 at 10:51 am in Vulnerabilities | No Comments

ARP is vulnerable because ARP trusts everyone. There is no authentication so when a device sends out an ARP Request, the device that responds to this request is trusted to be the correct device. ARP is so trusting that even if no ARP Request was sent but the device receives an ARP Reply, it still accepts this ARP Reply and adds it to or modifies its ARP table!

This is an astounding statement when you truly think about it. An attacker can broadcast forged ARP Replies to any device on the network and that device will believe the Reply and add it to its ARP table. All of a sudden we have a few devices on the network who believe someone is somebody else and network chaos ensues.

ARP poisoning typically leads to three types of attack vectors: Denial of Service, Man in the Middle, and MAC Flooding.

ARP poisoning is done from within the network perimeter, which means it is local. An attacker has to be on the same physical segment or has to gain access to a device that resides within the network. If an ARP attack is noticed, immediately suspect an in-house attacker.

You may use the following Windows command: 

arp /?

and the following Linux/Unix command: 

man arp

for more information about local ARP command use.

I would suggest observing a few ARP packets with Wireshark if you’re interested in actually seeing the make-up of these packets. Continue reading..

Address Resolution Protocol (ARP)

Posted August 17, 2008 at 10:48 pm in Networking | No Comments

The Address Resolution Protocol is fairly straightforward. Each device on a network contains two types of addresses: an IP address and a MAC address. This protocol was developed to help resolve an IP address to a unique MAC address.

Each device on the network has an IP address that is capable of changing depending on DHCP settings or IP configuration. Each device also has a unique Media Access Control address that is ‘burned’ into each network interface card. ARP matches IP addresses to MAC addresses and vice versa using four message types: ARP Request, ARP Reply, Reverse ARP (RARP) Request, and RARP Reply.

An ARP Request is used when a device wants to know who is using a specific IP address.

An ARP Reply is just what it says. It is a reply to the ARP Request that informs the requesting device that is has the requested IP address and also includes its MAC address. Most of the time when devices do not possess the requested IP address that is within the ARP Request they will ignore the request and only the device containing the requested IP address will issue an ARP Reply.

A RARP Request is just the opposite of an ARP Request. The requesting device wants to know who is using a specific MAC address.

A RARP Reply informs the device issuing a RARP Request that it is using this MAC address and includes its IP address as well. Again, a RARP Reply works in much the same manner as an ARP Reply.

Each device contains an ARP table. This table has a short life span and contains a list of matched IP and MAC addresses. This allows networking devices to avoid broadcasting ARP and RARP Requests across the network which reduces network overhead and increases network throughput.

References: RFC 826 and RFC 903

Page 4 of 512345