ARP is vulnerable because ARP trusts everyone. There is no authentication so when a device sends out an ARP Request, the device that responds to this request is trusted to be the correct device. ARP is so trusting that even if no ARP Request was sent but the device receives an ARP Reply, it still accepts this ARP Reply and adds it to or modifies its ARP table!

This is an astounding statement when you truly think about it. An attacker can broadcast forged ARP Replies to any device on the network and that device will believe the Reply and add it to its ARP table. All of a sudden we have a few devices on the network who believe someone is somebody else and network chaos ensues.

ARP poisoning typically leads to three types of attack vectors: Denial of Service, Man in the Middle, and MAC Flooding.

ARP poisoning is done from within the network perimeter, which means it is local. An attacker has to be on the same physical segment or has to gain access to a device that resides within the network. If an ARP attack is noticed, immediately suspect an in-house attacker.

You may use the following Windows command:

arp /?

and the following Linux/Unix command:

man arp

for more information about local ARP command use.

I would suggest observing a few ARP packets with Wireshark if you’re interested in actually seeing the make-up of these packets.

Read More | Comment

The Address Resolution Protocol is fairly straightforward. Each device on a network contains two types of addresses: an IP address and a MAC address. This protocol was developed to help resolve an IP address to a unique MAC address.

Each device on the network has an IP address that is capable of changing depending on DHCP settings or IP configuration. Each device also has a unique Media Access Control address that is ‘burned’ into each network interface card. ARP matches IP addresses to MAC addresses and vice versa using four message types: ARP Request, ARP Reply, Reverse ARP (RARP) Request, and RARP Reply.

An ARP Request is used when a device wants to know who is using a specific IP address.

An ARP Reply is just what it says. It is a reply to the ARP Request that informs the requesting device that is has the requested IP address and also includes its MAC address. Most of the time when devices do not possess the requested IP address that is within the ARP Request they will ignore the request and only the device containing the requested IP address will issue an ARP Reply.

A RARP Request is just the opposite of an ARP Request. The requesting device wants to know who is using a specific MAC address.

A RARP Reply informs the device issuing a RARP Request that it is using this MAC address and includes its IP address as well. Again, a RARP Reply works in much the same manner as an ARP Reply.

Each device contains an ARP table. This table has a short life span and contains a list of matched IP and MAC addresses. This allows networking devices to avoid broadcasting ARP and RARP Requests across the network which reduces network overhead and increases network throughput.

References: RFC 826 and RFC 903

Read More | Comment

Network models define a set of network layers (also known as a stack) and how those layers (protocols) interact with one another. There are two commonly used network models in use today, TCP/IP (Transmission Control Protocol/Internet Protocol) and OSI (Open Systems Interconnection). By using network models we enable devices using the same network model to communicate with one another more effectively and we’re better equipped to understand how the network works.

TCP/IP Model
The TCP/IP model is by far the most widely used model in existence today. Just about every modern networking device supports the TCP/IP model including computers, mobile devices, and even a few appliances. This model is also known as the DoD model and the Internet model. It was created by the efforts of the U.S. Department of Defense and various universities in the 1970s.

The TCP/IP model defines an enormous collection of protocols that are governed by their respective Request For Comments (RFC). It is human nature to categorize anything and everything to help us understand and remember. The TCP/IP model is no exception. It separates these protocols into four layers (or categories) to make it easier to understand how these layers (protocols) interact with one another. The four layers of the TCP/IP model are the Application, Transport, Internet, and Network Access layers with each layer providing a service to the layer above it.

The Application layer is the layer most of us will interact with on a daily basis whether we realize it or not. The protocols used in the Application layer provide services to the software running on a computer, such as retrieving the web page of your favorite website. The Application layer doesn’t care what the application looks like, what new features it has, what language it’s written in, or what you think of it. The Application layer defines what services the software might need, such as HTTP (web browsing) or POP3 and SMTP (e-mail). There are many protocols supported within the Application layer, such as HTTP, SMTP, POP3, FTP, Telnet, IRC, IMAP, SSL, PPP, etc.

Read More | Comment