PPAP
Perfectly Poison ARP Poisoning
Team19
b05902127 劉俊緯
b05902117 陳柏文
b05902031 謝議霆
What is ARP?
Task: 87 -> 88
140.112.31.87
140.112.31.88
Switch cannot look ip.
So we needs 88's MAC to let switch forward.
src: 140.112.31.87
dst: 140.112.31.88
dst MAC: ???
87:87:87:87:87:87
88:88:88:88:88:88
ARP Request & Reply
140.112.31.87
140.112.31.88
ARP Request
who has 140.112.31.88 ?
87:87:87:87:87:87
88:88:88:88:88:88
ARP Reply
88:88:88:88:88:88 has 140.112.31.88 ?
src ip: 140.112.31.87 src MAC: 87:87:87:87:87:87
dst ip: 140.112.31.88 dst MAC: 88:88:88:88:88:88
What is ARP Poisoning?
ARP Poisoning
140.112.31.87
140.112.31.88
I know 140.112.31.88 => 88:88:88:88:88:88
87:87:87:87:87:87
88:88:88:88:88:88
ARP Reply
89:89:89:89:89:89
has 140.112.31.88
140.112.31.89
89:89:89:89:89:89
89:89:89:89:89:89
How to mitigate ARP Poisoning?
Dynamic ARP Inspection(DAI)
Why not?
- DAI needs information in Layer 3
- Must be Layer3 Switch
- Not flexible
ARP poisoning + MitM
Attack Flow Chart
Environment
- Layer2 switch
- Port security
- Attacker can't fake mac address
1. Everything is fine
2. Attacker send arp reply
3. user update arp table
4. package redirect
5. package redirect
Demo arp poisoning
Monitoring + Patch on L2 switch!
Monitor with Cisco switch
- Monitor in Cisco
- Copy all packages from port to destination port
switch
monitor
PC
Monitor with other L2 switch
- Monitor -> Gateway
- Firewall
switch
monitor
PC
IP -> multiple MAC?
- user update arp table
- Possible reason:
- change device
- DHCP
- attack
1 MAC -> multiple IP?
- Possible reason:
- change IP
- attack
Detect
- if MAC2 -> IP2 and previous IP1 && IP2 has its MAC1
- ping IP2 with the MAC1
- if received
- ban MAC2
Problem: Broken ARP at normal users
Re-Poisoning!
DEMO PPAP
Q&A
PPAP
By Arvin Liu
PPAP
ARP poisoning attack & MitM + detect&re-poisoning on L2 switch
