ARP/DHCP Specific Questions – Detailed Answers

arpdhcp

In my Network are:

Router

Client 1: Victim

Client 2: Attacker (Raspberry Pi)

Client 3: My Computer (SSH to Raspberry)

All Clients are connected wireless to the router.
All Clients are registered at the Router (IP/MAC bind)
Router is set to accept connection only from registered Clients.
Router has DHCP enabled.
Programm used: dsniff/arpspoof

I arpsoofed client 1 and set Client 2 to act as MITM and forwarded the traffic. As soon as router refreshes arp tables it works.
After 5-10 minutes the router assign a new IP to Client 1 and forgot the old IP Adress.

I've got 2 questions now:

What is IP/MAC binding for when its easy to manipulate one client to use multiple IPs and router accepting it?

How is it possible that the spoofed client 1 who shouldnt have any communication with the router directly is given a new IP after some time?

This is for education purposes only!
Thank you !

Best Answer

What you are describing is more about network disruption than information stealing. Also, clients don't register with routers, and DHCP is gratuitous in the situation you describe because the DHCP server plays no part in the situation.

There really isn't any such thing as IP/MAC binding they way you may think. You need to understand the network layers. Layer-2 is the local LAN, and all traffic on the local LAN is delivered directly from one host to another host by the LAN, e.g. MAC, address. Some layer-2 protocols use MAC addresses (either 48-bit or 64-bit MAC addresses), and some do not. Layer-3 is the network, and layer-3 protocols use layer-3, e.g. IP, addresses.

In order for one host on the LAN to send traffic to another host on the LAN, the host needs to resolve the destination layer-3 address into the destination layer-2 address in order to build a frame. That is where ARP (Address Resolution Protocol) comes in.

ARP maintains a table for translating layer-3 to layer-2 addresses. The entries in this table usually time out, but that depends on the OS. To get or update an entry in its ARP table, a host will use ARP requests. A host will also update its ARP table from any traffic it sees on the LAN. That means that when the victim sends out any traffic that the other hosts see, they will update their ARP tables with the new information. This could be the victim sending its own ARP request to discover the layer-2 address of another host, a gratuitous ARP, unknown unicast traffic, or unicast traffic to another host that updates it ARP table.

There is also something else to consider if this is a switched ethernet LAN. Ethernet switches maintain MAC address tables (not to be confused with ARP tables) to resolve the MAC address to an interface where the MAC address was last seen. A switch will update its MAC address table with a frame's source MAC address every time a frame comes into the switch, and it will use the MAC address table to determine to which switch interface it will send the frame with the destination MAC address. If the destination MAC address is not in its MAC address table, the switch will flood the frame to all the switch interfaces, except the one where the frame entered the switch.

Now, put it all together. If a malicious host tries to hijack a MAC address, it will only be temporary because the ARP tables in the other hosts will update, and the switch will constantly change the interface to which it delivers frames with that destination MAC address.

A real man-in-the-middle attack needs to happen on a link through which traffic must pass, but that is not the case on most LANs since traffic on LANs is passed directly from host-to-host, not through a single point.

Related Solutions

Cisco – Specific DHCP pool on specific interface – IOS

If you configure an IP address on an interface the router will use the corresponding DHCP pool to answer DHCP requests. In your case you would do something like this:

interface Fa0/0
 ip address 192.168.0.1 255.255.255.248
!
interface Fa0/1
 ip address 172.16.0.1 255.255.255.248
!
ip dhcp pool 0
 network 192.168.0.0 255.255.255.248
 ...
!
ip dhcp pool 1
 network 172.16.0.0 255.255.255.248
 ...
!

The interface IP on Fa0/0 is inside the network for DHCP pool 0 and the IP on Fa0/1 is inside pool 1. So hosts on Fa0/0 will get addresses from pool 0 and hosts on Fa0/1 will get addresses from pool 1.

ARP Destination Address in Internetworking

You're almost 100% correct. Slight corrections bolded below:

HostE will send an ARP Request with a target address of Router2's IP address. The destination MAC address of the ARP packet will be ffff.ffff.ffff, which would indeed make it a broadcast. Router2 responds unicst with its MAC address, and HostE generates the packet with a Source and Destination IP of 192.168.3.1 and 192.168.1.1, and a Source and Destination MAC of 7777.7777.7777 and 8888.8888.8888 (respectively).
Router 2 will receive the packet, and consult its Route Table to determine the Next Hop for the 192.168.1.0/24. If Router2 doesn't already know Router1's MAC address, it will issue a broadcast ARP Request for it. Once it learns it, it will then forward the packet leaving the Source/Destination IP unchanged, and encapsulating the IP packet with a Layer 2 header with a Source and Destination MAC of 5555.5555.5555 and 3333.3333.3333.
Router1 receives the packet and consults its Route Table to determine the destination Network is directly connected. Router1 sends a Broadcast ARP Request for the IP 192.168.1.1 to learn HostA's MAC address, and then finally forward the packet to the final destination.

And to answer your last question. Whether HostE gets its address from DHCP or not, the process flow would appear as above if HostE did not have an entry in its ARP Cache for Router2's MAC address.

IF, Router2 was the DHCP Server (which it doesn't have to be). And Router2 just assigned HostE its address. Then theoretically, HostE would know Router2's MAC address. But ARP entries don't last forward, particularly on clients. For example, my Windows 7 laptop keeps ARP entries for only 34.5 seconds (see below).

So even if Router2 was the DHCP server, and gave HostE its IP address, sooner or later HostE's ARP cache would time out, and it would have to run the broadcast ARP request all over again, just like if HostE had always only had a static IP assigned.

C:\Users\eddie>netsh interface ipv4 show interfaces 20

Interface Local Area Connection Parameters
----------------------------------------------
IfLuid                             : ethernet_11
IfIndex                            : 20
State                              : connected
Metric                             : 20
Link MTU                           : 1500 bytes
Reachable Time                     : 34500 ms     <-----
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 3
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : dhcp
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

Best Answer

Related Solutions

Cisco – Specific DHCP pool on specific interface – IOS

ARP Destination Address in Internetworking

Related Topic