In my previous post, I found and used a backdoor to gain access to the Metasploitable instance. This involved querying it FTP service to learn the server software type and version, then launching an exploit specific to that setup. Today, and I'm continuing to follow the same text, I'll attempt some ARP (Address Resolution Protocol) spoofing. I mentioned ARP briefly in an earlier post, but I didn't describe in any length.
ARP is part of a network's addressing protocols. Specifically, it correlates ip addresses with MAC addresses.
- MAC addresses (Media Access Control) are specific to a device. A smartphone has a MAC address, as does a desktop computer, a tablet, and a laptop. MAC addresses are unique, are generally permanently attached to their device, and provide (limited) information about the device. The leading characters of the address, for instance, are specific to the device's manufacturer. These are similar to people's names. MAC addresses take the form of six pairs of hexadecimal digits, each pair separated by a hyphen, e.g.: 06-b3-47-fc-1d-28; or by a colon: 06:b3:47:fc:1d:28.
- Ip addresses (Internet Protocol) are addresses on a network. To send and receive internet traffic, a device must have an address on a network, much as a person must have a postal address to receive mail. Similar to a mailing address, a device might move from one address to another through the course of a day - I might receive postal mail at home and at work, for instance. Unlike mailing addresses, ip addresses are transitory: once I disconnect from a network, it's as if I've permanently moved: I lose the ip address that I had on that network. Ip addresses (ipv4, technically; ipv6 addresses are distinct but similar) take the form of four triplets of decimal numbers, each triplet separated by periods. Leading zeroes are not shown: 142.250.64.78 rather than 142.250.064.078. Most addresses are public, meaning they are used for location on the internet, but three sets are reserved for use on local networks; these are known as private ip addresses:
- Private ip addresses are restricted to local networks. No private ip address will appear as a location on the internet. Similarly, no public ip address will ever appear on a local network
- Since private ip addresses are never locations on the internet, they can (and do) repeat from one network to the next. As I sit and write on my computer, my computer has a private ip address on my home network: 192.168.1.32. My home network has a public ip address that all of my devices share via a router: 123.456.789.65. I send data to blogger.com at 142.251.35.169, where a router sends my data to a device on their network, whose private ip address I never know. That device sends data back to my network router at 123.456.789.65. My router then routes the data for my computer to my computer at 192.168.1.32. At the same time, my smartphone is on my home network at 192.168.1.58. It connects to my bank at 23.219.82.203 (not my bank, actually, or maybe it is), where a router sends my data to a device on their network, whose private ip address I again never know. The bank sends data back to my router at 123.456.789.65, and my router routes that data to my smartphone at 198.162.1.58.
- Throughout this, I never know (or need to know) the private ip addresses of the devices at blogger or Wells Fargo, nor do they ever know (or need to know) the private ip addresses of my devices. To communicate, all we need are each other's public ip addresses; we rely on our routers to route the incoming data to its final destination at our private ip addresses. Thus, our public ip addresses are our publicly shared addresses; while our private ip addresses are not shared, and have no use outside our local network: a little secret between our device and our router.
The transitory nature of private ip addresses means that every time I join a network, I have to get a new address, even if it's a network I've been on before. It also means that my router needs to maintain a list of which device (MAC address) is at which location (ip address) on the local network, or LAN (Local Area Network). Building and maintaining this list is done via ARP. Each time a device joins a LAN, it broadcasts a message out: "I've joined this network, this is my MAC address, I need a private ip address." The router replies, giving its (the router's) private ip address and assigning an ip address to the device. The router also adds an entry to its ARP table, listing the MAC address as residing at the private ip address the router just assigned. The device stores this info, enabling it to send all future traffic specifically to the router, rather than broadcasting it to the entire network. Over time, as devices continue to add to the LAN, the router builds a complete table of its LAN. Devices can come and go on a network, so from time to time a router may check whether a device is still connected by asking who is at a particular ip address. If the device is still there, it will reply with its MAC, otherwise the router will drop the entry from its table.
All of this works very well, but it was never designed for security. When a device joins a network, it broadcasts its initial 'I need an address' message out to everyone on the network. As designed, the router responds, while all other devices ignore the message, but there's nothing to prevent a threat actor from jumping into the mix. Similarly, when a router asks if a device is at a particular ip address, that is also broadcast to everyone, creating another opportunity for chaos. Finally, the tables are ephemeral, subject to and requiring frequent revision, and all ARP messages are accepted as truthful, without any check for validity.
All of this makes ARP tables a good target for a man-in-the-middle attack, where a threat actor intercepts all messages between two points that should be directly connected. In this case, the threat actor can tell a victim's device that they are the router, and can tell the router that they are the victim's device: the victim's device sends all traffic to the threat actor, while the router sends all traffic meant for the victim to the threat actor. The threat actor can then manipulate or read the data before passing it along to its intended recipient, or not pass it along at all. This is done via ARP spoofing, which will be the topic of my next post.