What digital currency is ARP
Publish: 2021-04-14 18:27:04
1.
RP is actually the abbreviation of the English phrase address resolution protocol, and its Chinese name is address resolution protocol
it mainly refers to the IP protocol on a physical address obtained according to the IP address of the computer. ARP is built on the premise of mutual trust between various hosts in the network. It can also check the corresponding relationship between the IP address and MAC address in the ARP cache of the local computer, so as to add and delete various static corresponding relationships
now our common related protocols are RARP, proxy ARP and so on. If users of NDP can replace ARP in IPv6
solution
according to the routing table content on host a, IP determines that the forwarding IP address used to access host B is 192.168.1.2. Then host a checks the matching MAC address of host B in its local ARP cache
if host a does not find a mapping in the ARP cache, it will ask for the hardware address of 192.168.1.2 to broadcast the ARP request frame to all hosts on the local network
the IP address and MAC address of the source host a are included in the ARP request, and each host on the local network receives the ARP request and checks whether it matches its own IP address. If the host finds that the requested IP address does not match its own IP address, it discards the ARP request
host B determines that the IP address in the ARP request matches its own IP address, and adds the IP address and MAC address mapping of host a to the local ARP cache
host B sends the ARP reply message containing its MAC address directly back to host a
when host a receives the ARP reply message from host B, it will update the ARP cache with the IP and MAC address mapping of host B. The native cache has a lifetime. After the lifetime, the above process will be repeated again. Once the MAC address of host B is determined, host a can send IP communication to host B
extended data
protection principle
it is difficult to prevent ARP attack, and it is impossible to modify the protocol. But there are some jobs that can improve the security of the local network
first of all, you should know that if a wrong record is inserted into the ARP or IP route table, it can be deleted in two ways
A. using ARP – D host_ Entry
arp network breaking attack
B. automatically expired, and deleted by the system
in this way, the following methods can be adopted:
rece the expiration time
? NDD – set / dev / ARP ARP_ cleanup_ interval 60000
#ndd -set /dev/ip ip_ ire_ flush_ Interval 60000
60000 = 60000 milliseconds, the default is 300000
to speed up the expiration time, which can not avoid the attack, but it makes the attack more difficult. The impact is that there will be a large number of ARP requests and replies in the network. Please do not use it on the busy network
reference: network ARP attack
2. Displays and modifies the IP or token ring physical address translation table used by ARP to Ethernet. This command is available only after the TCP / IP protocol is installed< What is ARP Protocol?
arp protocol is the abbreviation of address resolution protocol. In the LAN, the actual transmission in the network is "frame", which has the MAC address of the target host. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how is the target MAC address obtained? It is obtained through the address resolution protocol. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device, so as to ensure the smooth progress of communication
Second, the working principle of ARP protocol
in every computer with TCP / IP protocol installed, there is an ARP cache table, and the IP address in the table corresponds to the MAC address one by one, as shown in the attached table
attached table
let's take host a (192.168.1.5) sending data to host B (192.168.1.1) as an example. When sending data, host a will look for the target IP address in its ARP cache table. If it is found, the target MAC address will be known. Just write the target MAC address into the frame and send it; If the corresponding IP address is not found in the ARP cache table, host a will send a broadcast on the network, and the target MAC address is "FF. FF. FF. FF. FF". This means to send such a query to all hosts in the same network segment: "what is the MAC address of 192.168.1.1?" Other hosts on the network do not respond to the ARP query. Only when host B receives this frame, it makes such a response to host a: "the MAC address of 192.168.1.1 is 00-aa-00-62-c6-09". In this way, host a knows the MAC address of host B, and it can send information to host B. At the same time, it also updates its own ARP cache table. The next time it sends information to host B, it can directly search from the ARP cache table. ARP cache table adopts aging mechanism. If a row in the table is not used in a period of time, it will be deleted. This can greatly rece the length of ARP cache table and speed up the query speed
3. How to view the ARP cache table
the ARP cache table can be viewed, added and modified. At the command prompt, enter "ARP - a" to view the contents of the ARP cache table, as shown in the figure
with the "ARP - D" command, you can delete the contents of a row in the ARP table; "ARP - s" can be used to manually specify the correspondence between IP address and MAC address in ARP table< 4. ARP deception. In fact, ARP deception is the main cause of the sudden drop of line or large-area disconnection. ARP spoofing attack has become the main culprit of Internet cafe operation, and it is a serious problem for Internet cafe owners and network managers
there are two kinds of ARP spoofing in terms of the ways that affect the smooth network connection. One is to cheat the ARP table of router; The other is gateway spoofing to intranet PC
the first principle of ARP spoofing is to intercept gateway data. It informs the router of a series of wrong MAC addresses in the intranet, and carries out it continuously according to a certain frequency, so that the real address information can not be saved in the router through updating. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information. The second principle of ARP spoofing is forgery gateway. Its principle is to set up a fake gateway and let the PC cheated by it send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it's just that we can't get on the Internet, "the network is offline."
generally speaking, the consequences of ARP spoofing attacks are very serious, which will cause a large area of offline in most cases. Some network managers don't know much about this. When there is a failure, they think that there is no problem with the PC and the switch has no "ability" to drop the line. Telecom also doesn't admit the broadband failure. And if the first ARP Spoofing occurs, as long as the router is restarted, the network can be fully recovered, then the problem must be in the router. To this end, broadband router back a lot of "black pot."
as a manufacturer of Internet bar routers, we have to do a lot of internal and external work to prevent ARP deception. 1、 In the broadband router, the IP-MAC of all PCs is input into a static table, which is called router IP-MAC binding. 2、 Urge the network administrator to set the static ARP information of gateway on all PCs in the intranet, which is called PC IP-MAC binding. Generally, the manufacturer requires two jobs to be done, which is called IP-MAC bidirectional binding.
arp protocol is the abbreviation of address resolution protocol. In the LAN, the actual transmission in the network is "frame", which has the MAC address of the target host. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how is the target MAC address obtained? It is obtained through the address resolution protocol. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device, so as to ensure the smooth progress of communication
Second, the working principle of ARP protocol
in every computer with TCP / IP protocol installed, there is an ARP cache table, and the IP address in the table corresponds to the MAC address one by one, as shown in the attached table
attached table
let's take host a (192.168.1.5) sending data to host B (192.168.1.1) as an example. When sending data, host a will look for the target IP address in its ARP cache table. If it is found, the target MAC address will be known. Just write the target MAC address into the frame and send it; If the corresponding IP address is not found in the ARP cache table, host a will send a broadcast on the network, and the target MAC address is "FF. FF. FF. FF. FF". This means to send such a query to all hosts in the same network segment: "what is the MAC address of 192.168.1.1?" Other hosts on the network do not respond to the ARP query. Only when host B receives this frame, it makes such a response to host a: "the MAC address of 192.168.1.1 is 00-aa-00-62-c6-09". In this way, host a knows the MAC address of host B, and it can send information to host B. At the same time, it also updates its own ARP cache table. The next time it sends information to host B, it can directly search from the ARP cache table. ARP cache table adopts aging mechanism. If a row in the table is not used in a period of time, it will be deleted. This can greatly rece the length of ARP cache table and speed up the query speed
3. How to view the ARP cache table
the ARP cache table can be viewed, added and modified. At the command prompt, enter "ARP - a" to view the contents of the ARP cache table, as shown in the figure
with the "ARP - D" command, you can delete the contents of a row in the ARP table; "ARP - s" can be used to manually specify the correspondence between IP address and MAC address in ARP table< 4. ARP deception. In fact, ARP deception is the main cause of the sudden drop of line or large-area disconnection. ARP spoofing attack has become the main culprit of Internet cafe operation, and it is a serious problem for Internet cafe owners and network managers
there are two kinds of ARP spoofing in terms of the ways that affect the smooth network connection. One is to cheat the ARP table of router; The other is gateway spoofing to intranet PC
the first principle of ARP spoofing is to intercept gateway data. It informs the router of a series of wrong MAC addresses in the intranet, and carries out it continuously according to a certain frequency, so that the real address information can not be saved in the router through updating. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information. The second principle of ARP spoofing is forgery gateway. Its principle is to set up a fake gateway and let the PC cheated by it send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it's just that we can't get on the Internet, "the network is offline."
generally speaking, the consequences of ARP spoofing attacks are very serious, which will cause a large area of offline in most cases. Some network managers don't know much about this. When there is a failure, they think that there is no problem with the PC and the switch has no "ability" to drop the line. Telecom also doesn't admit the broadband failure. And if the first ARP Spoofing occurs, as long as the router is restarted, the network can be fully recovered, then the problem must be in the router. To this end, broadband router back a lot of "black pot."
as a manufacturer of Internet bar routers, we have to do a lot of internal and external work to prevent ARP deception. 1、 In the broadband router, the IP-MAC of all PCs is input into a static table, which is called router IP-MAC binding. 2、 Urge the network administrator to set the static ARP information of gateway on all PCs in the intranet, which is called PC IP-MAC binding. Generally, the manufacturer requires two jobs to be done, which is called IP-MAC bidirectional binding.
3. Address resolution in protocol, which means address resolution, resolves IP address to MAC address, such as 192.168.1.1 - & gt; 00-1e-37-44-86-5e, when the computer communicates in the LAN, it uses data frame to communicate, and the header of the data frame contains MAC address information.
4. The principle of ARP Spoofing
Objective: to directly mount the horse by ARP Spoofing
advantages: you can mount the horse directly by ARP spoofing.
the usual attack mode of ARP spoofing is to control a host to monitor the password under the same VLAN, or to monitor the password of ssh1 in combination with SSH man in the middle attack.
however, there are limitations:
1, It will take a long time to listen to the password.
2. The target host only has port 80 and a management port, and there are only static pages on the 80, so it is difficult to use it. If the management port is 3389 terminal or SSH2, it is very difficult to listen to the password.
advantages:
1. You can directly hang up on it without obtaining the permission of the target host.
2, It does not change the page or configuration of any target host, and inserts the hanging horse statement directly in the process of network transmission.
3. It can maximize the use of ARP spoofing, so as to maximize the results as long as it obtains the control right of a host under the same VLAN.
principle: ARP man in the middle attack is actually equivalent to acting as an agent
normal time:
A --- & gt; When ARP man in the middle attacks:
A --- & gt; C----> B
B----> C----> A
actually, C acts as a proxy here
when an HTTP request is sent, C determines which client sent the packet and forwards it to B. when B returns the HTTP response, it inserts a piece of code in the HTTP response packet, such as & lt; iframe>... In this process, B doesn't feel anything. It directly attacks the normal customer A. if a is an administrator or a target company, it directly mounts the horse.
what is ARP< Address
resolution
protocol
Chinese definition: (rfc-826) address resolution protocol
in LAN, the actual transmission in the network is "frame", in which there is the MAC address of the target host. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before
sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth communication
note: in short, ARP protocol is mainly responsible for translating 32-bit IP address in LAN into corresponding 48 bit physical address, that is, MAC address of network card, for example, IP address is 192.168.0.1, MAC address of network card is 00-03-0f-fd-1d-2b. The whole conversion process is that a host first sends a broadcast packet containing IP address information to the target host, that is, ARP request, and then the target host sends a packet containing IP address and MAC address to the host, and the data transmission can be realized through the two hosts with MAC address
Application: there is a special ARP cache in the computer installed with Ethernet network adapter, which contains one or more tables to store IP address and resolved MAC address. To view or modify the information in the ARP cache in windows, you can use the ARP command. For example, type "ARP
- a" or "ARP
- G" in the command prompt window of windows
XP to view the content in the ARP cache; Type "ARP
- d
IPAddress" to delete the specified IP address item (IPAddress means IP address). For other uses of the ARP command, type "ARP
/?" You can see it
temporary defense:
http://www.hackerdown.com/soft/25.htm
ARP firewall stand-alone version 4.0.1, released on March 12, formerly known as anti
arp
sniffer, adopts a new system kernel layer interception technology, which can completely solve all the problems caused by ARP attacks and ensure that the network is still normal when it is attacked by ARP, It can completely solve the packet loss phenomenon when attacked. It can automatically intercept and defend all kinds of ARP attack programs, ARP viruses and ARP Trojans, and inhibit all ARP malicious programs from sending false data packets through intelligent analysis. Automatic identification of ARP attack data types: external attack, IP conflict, external attack data, and detailed record of all suspicious packets and trace attackers, the software can automatically count the number of ARP broadcast packets sent and received. The author is authorized to publish
the best solution is to contact the computer room administrator
to request
MAC IP
to do static binding
Objective: to directly mount the horse by ARP Spoofing
advantages: you can mount the horse directly by ARP spoofing.
the usual attack mode of ARP spoofing is to control a host to monitor the password under the same VLAN, or to monitor the password of ssh1 in combination with SSH man in the middle attack.
however, there are limitations:
1, It will take a long time to listen to the password.
2. The target host only has port 80 and a management port, and there are only static pages on the 80, so it is difficult to use it. If the management port is 3389 terminal or SSH2, it is very difficult to listen to the password.
advantages:
1. You can directly hang up on it without obtaining the permission of the target host.
2, It does not change the page or configuration of any target host, and inserts the hanging horse statement directly in the process of network transmission.
3. It can maximize the use of ARP spoofing, so as to maximize the results as long as it obtains the control right of a host under the same VLAN.
principle: ARP man in the middle attack is actually equivalent to acting as an agent
normal time:
A --- & gt; When ARP man in the middle attacks:
A --- & gt; C----> B
B----> C----> A
actually, C acts as a proxy here
when an HTTP request is sent, C determines which client sent the packet and forwards it to B. when B returns the HTTP response, it inserts a piece of code in the HTTP response packet, such as & lt; iframe>... In this process, B doesn't feel anything. It directly attacks the normal customer A. if a is an administrator or a target company, it directly mounts the horse.
what is ARP< Address
resolution
protocol
Chinese definition: (rfc-826) address resolution protocol
in LAN, the actual transmission in the network is "frame", in which there is the MAC address of the target host. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before
sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth communication
note: in short, ARP protocol is mainly responsible for translating 32-bit IP address in LAN into corresponding 48 bit physical address, that is, MAC address of network card, for example, IP address is 192.168.0.1, MAC address of network card is 00-03-0f-fd-1d-2b. The whole conversion process is that a host first sends a broadcast packet containing IP address information to the target host, that is, ARP request, and then the target host sends a packet containing IP address and MAC address to the host, and the data transmission can be realized through the two hosts with MAC address
Application: there is a special ARP cache in the computer installed with Ethernet network adapter, which contains one or more tables to store IP address and resolved MAC address. To view or modify the information in the ARP cache in windows, you can use the ARP command. For example, type "ARP
- a" or "ARP
- G" in the command prompt window of windows
XP to view the content in the ARP cache; Type "ARP
- d
IPAddress" to delete the specified IP address item (IPAddress means IP address). For other uses of the ARP command, type "ARP
/?" You can see it
temporary defense:
http://www.hackerdown.com/soft/25.htm
ARP firewall stand-alone version 4.0.1, released on March 12, formerly known as anti
arp
sniffer, adopts a new system kernel layer interception technology, which can completely solve all the problems caused by ARP attacks and ensure that the network is still normal when it is attacked by ARP, It can completely solve the packet loss phenomenon when attacked. It can automatically intercept and defend all kinds of ARP attack programs, ARP viruses and ARP Trojans, and inhibit all ARP malicious programs from sending false data packets through intelligent analysis. Automatic identification of ARP attack data types: external attack, IP conflict, external attack data, and detailed record of all suspicious packets and trace attackers, the software can automatically count the number of ARP broadcast packets sent and received. The author is authorized to publish
the best solution is to contact the computer room administrator
to request
MAC IP
to do static binding
5.
ARP protocol is in the LAN, the actual transmission in the network is "frame", which has the MAC address of the target host
a host can use it to determine whether another host has set the same IP address. The host bsdi does not want to have an answer to this request, but if it receives an answer, an error message will be generated in the terminal log: & quot; Ethernet address: A: B: C: D: e: F send plicate IP address;, This will alert the system administrator that a system has incorrect settings
if the host receives an ARP request from an IP address, and it is already in the cache of the receiver, it needs to update the corresponding contents in the cache with the hardware address of the sender (such as Ethernet address) in the ARP request
extended data
principle of IP address partition
the first bit (the highest bit) of the first byte in binary form is fixed to 0, so that, The range of class a IP address can be calculated:
0000 0000.0000 0000.0000 0000 ~ 0111 1111.1111 1111.1111 1111.1111 1111.1111 1111 converted to dot decimal is 0.0.0 ~ 126.255.255.255
127 is reserved for the internal loopback function, while 0 indicates that the address is the IP address of the local host. Generally, it is assigned to a large network, with 126 networks, and each network can hold more than 16777214 hosts
6. What is the principle, phenomenon and solution of ARP attack
1. First of all, let's talk about what ARP is
arp (address resolution protocol) is an address resolution protocol, which converts IP address into physical address. There are two ways to map from IP address to physical address: tabular and non tabular. ARP is to resolve the address of the network layer (IP layer, which is equivalent to the third layer of OSI) to the MAC address of the data connection layer (MAC layer, which is equivalent to the second layer of OSI)
arp principle: if a machine a wants to send a message to host B, it will query the local ARP cache table and find the MAC address corresponding to B's IP address before data transmission. If not, broadcast a ARP request message (carrying IP address ia of host a -- physical address PA), and request host B with IP address IB to answer physical address Pb. All hosts including B receive ARP requests, but only host B recognizes its own IP address, so it sends back an ARP response message to host a. It contains the MAC address of B. after a receives the response from B, it will update the local ARP cache. Then, the MAC address is used to send data (the MAC address is attached by the network card). Therefore, the ARP table of local cache is the basis of local network circulation, and the cache is dynamic
arp protocol does not receive ARP response only after sending ARP request. When the computer receives the ARP response packet, it will update the local ARP cache and store the IP and MAC addresses in the ARP cache. Therefore, when a machine B in the LAN sends a forged ARP response to a, and if the response is forged by B impersonating C, that is, the IP address of C is forged, and the MAC address is forged, then when a receives the forged ARP response from B, it will update the local ARP cache, so that in a's opinion, the IP address of C has not changed, and its MAC address is not the original one. Because the LAN network circulation is not based on the IP address, but according to the MAC address for transmission. Therefore, the forged MAC address is changed to a nonexistent MAC address on a, which will cause the network to be blocked and a can't Ping C! This is a simple ARP spoofing
2. Network law enforcement officers use this principle
in the network law enforcement officers, if you want to restrict a machine from accessing the Internet, just click & quot; Network card & quot; & quot; Permissions & quot;, Select the specified network card number or click the line of the network card in the user list and select & quot; Permissions & quot;, In the pop-up dialog box, you can limit the user's permissions. For unregistered network cards, you can limit them to go online in this way: as long as you set up all known users (Registration), you can prevent all unknown network cards from going online by changing the default permissions of network cards to forbid them to go online. Use these two functions to limit users' access to the Internet. Its principle is to send the attacked computer a Mac corresponding to a fake gateway IP address through ARP spoofing, so that it can not find the real MAC address of the gateway, so that it can be banned from surfing the Internet< According to the above analysis, it is not difficult for us to draw a conclusion: as long as we modify the MAC address, we can cheat the network law enforcement officer to scan, so as to achieve the purpose of breaking the blockade. The following is the method to modify the MAC address of network card:
in & quot; Start & quot; Menu & quot; Run & quot; Enter regedit, open the registry editor, and expand the registry to: HKEY_ LOCAL_
machine / system / currentcontrol
set / control / class / {4d36e972-e325-11ce-bfc1-08002be103
18} subkey, search for driverdecs in branches such as 000000010002 under subkey (if you have more than one network card, 00010002... Save the information about your network card here, and the driverdecs content is the information description of the network card, For example, my network card is Intel 210
41 based Ethernet controller). Suppose your network card is in 0000 subkey
add a string under 0000 subkey and name it & quot; NetworkAddress", The key value is the modified MAC address, which requires 12 consecutive hexadecimal numbers. Then in & quot; 0000" Create a new subkey named networkaddress in NDI / params under subkey, and add the subkey named & quot; default" The key value is the modified MAC address
under the subkey of networkaddress, continue to create a network named & quot; ParamDesc" It is used to specify the description of network
address, and its value can be & quot; MAC Address" In this way, the & quot; Properties & quot;, Double click the corresponding network card to find a & quot; Advanced & quot; Setting, there is the MAC address option under it, which is the new key you added in the registry & quot; NetworkAddress", Later, just modify the MAC address here
close the registry and restart. Your network card address has been changed. Open the properties of network neighbor, double-click the corresponding network card item, and you will find an advanced setting item of MAC address, which is used to modify the MAC address directly
MAC address, also known as physical address, hardware address or link address, is written in the hardware when it is proced by the network equipment manufacturer. This address has nothing to do with the network, that is, no matter where the hardware with this address (such as network card, hub, router, etc.) is connected to the network, it has the same MAC address. Generally, the MAC address cannot be changed and cannot be set by the user. MAC address is usually expressed as 12 hexadecimal numbers, and every two hexadecimal numbers are separated by colons. For example, 08:00:20:0a: 8C: 6D is a MAC address, in which the first six hexadecimal numbers, 08:00:20 represents the number of the network hardware manufacturer, which is assigned by IEEE, and the last three hexadecimal numbers, 0A: 8C: 6D, represent the serial number of a network proct (such as network card) manufactured by the manufacturer. Each network manufacturer must ensure that every Ethernet device it manufactures has the same first three bytes and different last three bytes. This ensures that every Ethernet device in the world has a unique MAC address
in addition, the principle of the network law enforcement officer is to send the MAC address corresponding to the fake gateway IP address to a computer through ARP spoofing, so that it can not find the real MAC address of the gateway. Therefore, as long as we modify the mapping from IP to Mac, the ARP spoofing of network law enforcement officers will be invalid, and its limitation will be broken. You can ping the gateway in advance, then use ARP - a command to get the MAC address of the gateway, and finally use ARP - s IP network card MAC address command to map the IP address of the gateway with its MAC address
4. Find the other party that makes you unable to access the Internet
after the network law enforcement officer's blockade is lifted, we can use arpkeller's & quot; Sniffer killer & quot; Scan the entire LAN IP segment, and then look for the & quot; Hybrid & quot; Mode of the computer, you can find each other. The specific method is: run arpkeller (Figure 2), and then click & quot; Sniffer monitoring tool;, In the & quot; Sniffer killer & quot; Enter the start and end IP of the detection in the window (Figure 3), and click & quot; Start detection & quot; That's it
after the detection, if the corresponding IP is a green hat sub icon, it means that the IP is in normal mode; if it is a red hat, it means that the NIC is in mixed mode. It's our goal. This guy is using the Internet. The law enforcement officer is making trouble
when scanning, I am also in mixed mode, so I can't count myself in it
it's up to you to deal with the other party after you find him. For example, you can use the network law enforcement officer to block the other party!: -)
1. First of all, let's talk about what ARP is
arp (address resolution protocol) is an address resolution protocol, which converts IP address into physical address. There are two ways to map from IP address to physical address: tabular and non tabular. ARP is to resolve the address of the network layer (IP layer, which is equivalent to the third layer of OSI) to the MAC address of the data connection layer (MAC layer, which is equivalent to the second layer of OSI)
arp principle: if a machine a wants to send a message to host B, it will query the local ARP cache table and find the MAC address corresponding to B's IP address before data transmission. If not, broadcast a ARP request message (carrying IP address ia of host a -- physical address PA), and request host B with IP address IB to answer physical address Pb. All hosts including B receive ARP requests, but only host B recognizes its own IP address, so it sends back an ARP response message to host a. It contains the MAC address of B. after a receives the response from B, it will update the local ARP cache. Then, the MAC address is used to send data (the MAC address is attached by the network card). Therefore, the ARP table of local cache is the basis of local network circulation, and the cache is dynamic
arp protocol does not receive ARP response only after sending ARP request. When the computer receives the ARP response packet, it will update the local ARP cache and store the IP and MAC addresses in the ARP cache. Therefore, when a machine B in the LAN sends a forged ARP response to a, and if the response is forged by B impersonating C, that is, the IP address of C is forged, and the MAC address is forged, then when a receives the forged ARP response from B, it will update the local ARP cache, so that in a's opinion, the IP address of C has not changed, and its MAC address is not the original one. Because the LAN network circulation is not based on the IP address, but according to the MAC address for transmission. Therefore, the forged MAC address is changed to a nonexistent MAC address on a, which will cause the network to be blocked and a can't Ping C! This is a simple ARP spoofing
2. Network law enforcement officers use this principle
in the network law enforcement officers, if you want to restrict a machine from accessing the Internet, just click & quot; Network card & quot; & quot; Permissions & quot;, Select the specified network card number or click the line of the network card in the user list and select & quot; Permissions & quot;, In the pop-up dialog box, you can limit the user's permissions. For unregistered network cards, you can limit them to go online in this way: as long as you set up all known users (Registration), you can prevent all unknown network cards from going online by changing the default permissions of network cards to forbid them to go online. Use these two functions to limit users' access to the Internet. Its principle is to send the attacked computer a Mac corresponding to a fake gateway IP address through ARP spoofing, so that it can not find the real MAC address of the gateway, so that it can be banned from surfing the Internet< According to the above analysis, it is not difficult for us to draw a conclusion: as long as we modify the MAC address, we can cheat the network law enforcement officer to scan, so as to achieve the purpose of breaking the blockade. The following is the method to modify the MAC address of network card:
in & quot; Start & quot; Menu & quot; Run & quot; Enter regedit, open the registry editor, and expand the registry to: HKEY_ LOCAL_
machine / system / currentcontrol
set / control / class / {4d36e972-e325-11ce-bfc1-08002be103
18} subkey, search for driverdecs in branches such as 000000010002 under subkey (if you have more than one network card, 00010002... Save the information about your network card here, and the driverdecs content is the information description of the network card, For example, my network card is Intel 210
41 based Ethernet controller). Suppose your network card is in 0000 subkey
add a string under 0000 subkey and name it & quot; NetworkAddress", The key value is the modified MAC address, which requires 12 consecutive hexadecimal numbers. Then in & quot; 0000" Create a new subkey named networkaddress in NDI / params under subkey, and add the subkey named & quot; default" The key value is the modified MAC address
under the subkey of networkaddress, continue to create a network named & quot; ParamDesc" It is used to specify the description of network
address, and its value can be & quot; MAC Address" In this way, the & quot; Properties & quot;, Double click the corresponding network card to find a & quot; Advanced & quot; Setting, there is the MAC address option under it, which is the new key you added in the registry & quot; NetworkAddress", Later, just modify the MAC address here
close the registry and restart. Your network card address has been changed. Open the properties of network neighbor, double-click the corresponding network card item, and you will find an advanced setting item of MAC address, which is used to modify the MAC address directly
MAC address, also known as physical address, hardware address or link address, is written in the hardware when it is proced by the network equipment manufacturer. This address has nothing to do with the network, that is, no matter where the hardware with this address (such as network card, hub, router, etc.) is connected to the network, it has the same MAC address. Generally, the MAC address cannot be changed and cannot be set by the user. MAC address is usually expressed as 12 hexadecimal numbers, and every two hexadecimal numbers are separated by colons. For example, 08:00:20:0a: 8C: 6D is a MAC address, in which the first six hexadecimal numbers, 08:00:20 represents the number of the network hardware manufacturer, which is assigned by IEEE, and the last three hexadecimal numbers, 0A: 8C: 6D, represent the serial number of a network proct (such as network card) manufactured by the manufacturer. Each network manufacturer must ensure that every Ethernet device it manufactures has the same first three bytes and different last three bytes. This ensures that every Ethernet device in the world has a unique MAC address
in addition, the principle of the network law enforcement officer is to send the MAC address corresponding to the fake gateway IP address to a computer through ARP spoofing, so that it can not find the real MAC address of the gateway. Therefore, as long as we modify the mapping from IP to Mac, the ARP spoofing of network law enforcement officers will be invalid, and its limitation will be broken. You can ping the gateway in advance, then use ARP - a command to get the MAC address of the gateway, and finally use ARP - s IP network card MAC address command to map the IP address of the gateway with its MAC address
4. Find the other party that makes you unable to access the Internet
after the network law enforcement officer's blockade is lifted, we can use arpkeller's & quot; Sniffer killer & quot; Scan the entire LAN IP segment, and then look for the & quot; Hybrid & quot; Mode of the computer, you can find each other. The specific method is: run arpkeller (Figure 2), and then click & quot; Sniffer monitoring tool;, In the & quot; Sniffer killer & quot; Enter the start and end IP of the detection in the window (Figure 3), and click & quot; Start detection & quot; That's it
after the detection, if the corresponding IP is a green hat sub icon, it means that the IP is in normal mode; if it is a red hat, it means that the NIC is in mixed mode. It's our goal. This guy is using the Internet. The law enforcement officer is making trouble
when scanning, I am also in mixed mode, so I can't count myself in it
it's up to you to deal with the other party after you find him. For example, you can use the network law enforcement officer to block the other party!: -)
7.
ARP (address resolution protocol) is a TCP / IP protocol to obtain physical address according to IP address. When the host sends the information, it broadcasts the ARP request containing the target IP address to all hosts on the LAN, and receives the return message to determine the physical address of the target; After receiving the returned message, the IP address and physical address will be stored in the local ARP cache for a certain period of time, and the ARP cache will be queried directly in the next request to save resources
the address resolution protocol is based on the mutual trust of each host in the network. The host in the local area network can send ARP response message independently, and other hosts will not detect the authenticity of the response message when they receive it, and will record it into the local ARP cache; Thus, the attacker can send a pseudo ARP response message to a host, so that the message can not reach the expected host or the wrong host, which constitutes an ARP spoofing
extended data:
RARP is different from ARP. Address resolution protocol is a protocol to obtain physical address according to IP address, while reverse address translation protocol (RARP) is a protocol to request IP address from ARP table or cache of gateway server according to MAC address, Its function is opposite to address resolution protocol. Compared with ARP, the workflow of RARP is the opposite. First, the query host sends a RARP request broadcast packet to the network, and queries its own IP address from other hosts. At this time, the RARP server on the network will respond the sender's IP address with the RARP reply packet, so that the query host will get its own IP address
8. (rfc-826) address resolution protocol
in LAN, the actual transmission in the network is "frame", in which there is the MAC address of the target host. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth communication
note: in short, ARP protocol is mainly responsible for translating 32-bit IP address in LAN into corresponding 48 bit physical address, that is, MAC address of network card, for example, IP address is 192.168.0.1, MAC address of network card is 00-03-0f-fd-1d-2b. The whole conversion process is that a host first sends a broadcast packet containing IP address information to the target host, that is, ARP request, and then the target host sends a packet containing IP address and MAC address to the host, and the data transmission can be realized through the two hosts with MAC address
Application: there is a special ARP cache in the computer installed with Ethernet network adapter, which contains one or more tables to store IP address and resolved MAC address. To view or modify the information in the ARP cache in windows, you can use the ARP command. For example, you can view the content in the ARP cache by typing "ARP - a" or "ARP - G" in the command prompt window of Windows XP; Type "ARP - D IPAddress" to delete the specified IP address item (IPAddress for IP address). For other uses of the ARP command, type "ARP / When we see
ARP Spoofing Trojan (virus) attacks, a large number of data packets are sent out, which leads to unstable network operation, frequent disconnection, frequent errors in IE browser, and some common software failures.
in LAN, the actual transmission in the network is "frame", in which there is the MAC address of the target host. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth communication
note: in short, ARP protocol is mainly responsible for translating 32-bit IP address in LAN into corresponding 48 bit physical address, that is, MAC address of network card, for example, IP address is 192.168.0.1, MAC address of network card is 00-03-0f-fd-1d-2b. The whole conversion process is that a host first sends a broadcast packet containing IP address information to the target host, that is, ARP request, and then the target host sends a packet containing IP address and MAC address to the host, and the data transmission can be realized through the two hosts with MAC address
Application: there is a special ARP cache in the computer installed with Ethernet network adapter, which contains one or more tables to store IP address and resolved MAC address. To view or modify the information in the ARP cache in windows, you can use the ARP command. For example, you can view the content in the ARP cache by typing "ARP - a" or "ARP - G" in the command prompt window of Windows XP; Type "ARP - D IPAddress" to delete the specified IP address item (IPAddress for IP address). For other uses of the ARP command, type "ARP / When we see
ARP Spoofing Trojan (virus) attacks, a large number of data packets are sent out, which leads to unstable network operation, frequent disconnection, frequent errors in IE browser, and some common software failures.
9. 1、 What is ARP protocol
arp protocol is the abbreviation of address resolution protocol. In the LAN, the actual transmission in the network is "frame", which has the MAC address of the target host. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how is the target MAC address obtained? It is obtained through the address resolution protocol. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device, so as to ensure the smooth progress of communication
Second, the working principle of ARP protocol
in every computer with TCP / IP protocol installed, there is an ARP cache table, and the IP address in the table corresponds to the MAC address one by one, as shown in the attached table
attached table
let's take host a (192.168.1.5) sending data to host B (192.168.1.1) as an example. When sending data, host a will look for the target IP address in its ARP cache table. If it is found, the target MAC address will be known. Just write the target MAC address into the frame and send it; If the corresponding IP address is not found in the ARP cache table, host a will send a broadcast on the network, and the target MAC address is "FF. FF. FF. FF. FF". This means to send such a query to all hosts in the same network segment: "what is the MAC address of 192.168.1.1?" Other hosts on the network do not respond to the ARP query. Only when host B receives this frame, it makes such a response to host a: "the MAC address of 192.168.1.1 is 00-aa-00-62-c6-09". In this way, host a knows the MAC address of host B, and it can send information to host B. At the same time, it also updates its own ARP cache table. The next time it sends information to host B, it can directly search from the ARP cache table. ARP cache table adopts aging mechanism. If a row in the table is not used in a period of time, it will be deleted. This can greatly rece the length of ARP cache table and speed up the query speed
3. How to view the ARP cache table
the ARP cache table can be viewed, added and modified. At the command prompt, enter "ARP - a" to view the contents of the ARP cache table, as shown in the figure
with the "ARP - D" command, you can delete the contents of a row in the ARP table; "ARP - s" can be used to manually specify the correspondence between IP address and MAC address in ARP table< 4. ARP deception. In fact, ARP deception is the main cause of the sudden drop of line or large-area disconnection. ARP spoofing attack has become the main culprit of Internet cafe operation, and it is a serious problem for Internet cafe owners and network managers
there are two kinds of ARP spoofing in terms of the ways that affect the smooth network connection. One is to cheat the ARP table of router; The other is gateway spoofing to intranet PC
the first principle of ARP spoofing is to intercept gateway data. It informs the router of a series of wrong MAC addresses in the intranet, and carries out it continuously according to a certain frequency, so that the real address information can not be saved in the router through updating. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information. The second principle of ARP spoofing is forgery gateway. Its principle is to set up a fake gateway and let the PC cheated by it send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it's just that we can't get on the Internet, "the network is offline."
generally speaking, the consequences of ARP spoofing attacks are very serious, which will cause a large area of offline in most cases. Some network managers don't know much about this. When there is a failure, they think that there is no problem with the PC and the switch has no "ability" to drop the line. Telecom also doesn't admit the broadband failure. And if the first ARP Spoofing occurs, as long as the router is restarted, the network can be fully recovered, then the problem must be in the router. To this end, broadband router back a lot of "black pot."
as a manufacturer of Internet bar routers, we have to do a lot of internal and external work to prevent ARP deception. 1、 In the broadband router, the IP-MAC of all PCs is input into a static table, which is called router IP-MAC binding. 2、 Urge the network administrator to set the static ARP information of gateway on all PCs in the intranet, which is called PC IP-MAC binding. Generally, the manufacturer requires two jobs to be done, which is called IP-MAC bidirectional binding
display and modify the IP or token ring physical address translation table used by ARP to Ethernet. This command is available only after the TCP / IP protocol is installed< br />
arp -a [inet_ addr] [-N [if_ addr]
arp -d inet_ addr [if_ addr]
arp -s inet_ addr ether_ addr [if_ Addr]
parameters
- a
display the current ARP item by asking TCP / IP. If INET is specified_ Addr, only the IP and physical address of the specified computer will be displayed
- G
is the same as - A< br />
inet_ Addr
specifies the IP address in dotted decimal notation
- N
display by if_ The ARP item of the network interface specified by addr< br />
if_ Addr
specifies the IP address (if any) whose address translation table interface needs to be modified. If not, the first applicable interface is used
- d
delete by INET_ Addr
- s
add an item to the ARP cache and change the IP address to INET_ Addr and physical address ether_ Addr Association. The physical address is given by six hexadecimal bytes separated by a hyphen. Use dotted decimal notation to specify the IP address. Items are permanent, that is, they are automatically removed from the cache after the timeout expires< br />
ether_ Addr
specifies the physical address< The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device, so as to ensure the communication
based on the working characteristics of ARP protocol, hackers constantly send fraulent ARP packets to the other computer. The packets contain the MAC address that is repeated with the current device, which makes the other computer unable to carry out normal network communication e to simple address repetition errors when responding to messages. Generally, there are two phenomena in ARP attacked computers:
1. Pop up the dialog box of "the hardware address of XXX segment of the local computer conflicts with the address of XXX segment of the network"
2. The computer can't access to the Internet normally, resulting in the symptoms of network interruption
because this attack uses ARP request packets to "cheat", the firewall will mistakenly think that it is a normal request packet and will not intercept it. Therefore, the ordinary firewall is difficult to resist this attack.
arp protocol is the abbreviation of address resolution protocol. In the LAN, the actual transmission in the network is "frame", which has the MAC address of the target host. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how is the target MAC address obtained? It is obtained through the address resolution protocol. The so-called "address resolution" is the process that the host converts the target IP address into the target MAC address before sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device, so as to ensure the smooth progress of communication
Second, the working principle of ARP protocol
in every computer with TCP / IP protocol installed, there is an ARP cache table, and the IP address in the table corresponds to the MAC address one by one, as shown in the attached table
attached table
let's take host a (192.168.1.5) sending data to host B (192.168.1.1) as an example. When sending data, host a will look for the target IP address in its ARP cache table. If it is found, the target MAC address will be known. Just write the target MAC address into the frame and send it; If the corresponding IP address is not found in the ARP cache table, host a will send a broadcast on the network, and the target MAC address is "FF. FF. FF. FF. FF". This means to send such a query to all hosts in the same network segment: "what is the MAC address of 192.168.1.1?" Other hosts on the network do not respond to the ARP query. Only when host B receives this frame, it makes such a response to host a: "the MAC address of 192.168.1.1 is 00-aa-00-62-c6-09". In this way, host a knows the MAC address of host B, and it can send information to host B. At the same time, it also updates its own ARP cache table. The next time it sends information to host B, it can directly search from the ARP cache table. ARP cache table adopts aging mechanism. If a row in the table is not used in a period of time, it will be deleted. This can greatly rece the length of ARP cache table and speed up the query speed
3. How to view the ARP cache table
the ARP cache table can be viewed, added and modified. At the command prompt, enter "ARP - a" to view the contents of the ARP cache table, as shown in the figure
with the "ARP - D" command, you can delete the contents of a row in the ARP table; "ARP - s" can be used to manually specify the correspondence between IP address and MAC address in ARP table< 4. ARP deception. In fact, ARP deception is the main cause of the sudden drop of line or large-area disconnection. ARP spoofing attack has become the main culprit of Internet cafe operation, and it is a serious problem for Internet cafe owners and network managers
there are two kinds of ARP spoofing in terms of the ways that affect the smooth network connection. One is to cheat the ARP table of router; The other is gateway spoofing to intranet PC
the first principle of ARP spoofing is to intercept gateway data. It informs the router of a series of wrong MAC addresses in the intranet, and carries out it continuously according to a certain frequency, so that the real address information can not be saved in the router through updating. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information. The second principle of ARP spoofing is forgery gateway. Its principle is to set up a fake gateway and let the PC cheated by it send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it's just that we can't get on the Internet, "the network is offline."
generally speaking, the consequences of ARP spoofing attacks are very serious, which will cause a large area of offline in most cases. Some network managers don't know much about this. When there is a failure, they think that there is no problem with the PC and the switch has no "ability" to drop the line. Telecom also doesn't admit the broadband failure. And if the first ARP Spoofing occurs, as long as the router is restarted, the network can be fully recovered, then the problem must be in the router. To this end, broadband router back a lot of "black pot."
as a manufacturer of Internet bar routers, we have to do a lot of internal and external work to prevent ARP deception. 1、 In the broadband router, the IP-MAC of all PCs is input into a static table, which is called router IP-MAC binding. 2、 Urge the network administrator to set the static ARP information of gateway on all PCs in the intranet, which is called PC IP-MAC binding. Generally, the manufacturer requires two jobs to be done, which is called IP-MAC bidirectional binding
display and modify the IP or token ring physical address translation table used by ARP to Ethernet. This command is available only after the TCP / IP protocol is installed< br />
arp -a [inet_ addr] [-N [if_ addr]
arp -d inet_ addr [if_ addr]
arp -s inet_ addr ether_ addr [if_ Addr]
parameters
- a
display the current ARP item by asking TCP / IP. If INET is specified_ Addr, only the IP and physical address of the specified computer will be displayed
- G
is the same as - A< br />
inet_ Addr
specifies the IP address in dotted decimal notation
- N
display by if_ The ARP item of the network interface specified by addr< br />
if_ Addr
specifies the IP address (if any) whose address translation table interface needs to be modified. If not, the first applicable interface is used
- d
delete by INET_ Addr
- s
add an item to the ARP cache and change the IP address to INET_ Addr and physical address ether_ Addr Association. The physical address is given by six hexadecimal bytes separated by a hyphen. Use dotted decimal notation to specify the IP address. Items are permanent, that is, they are automatically removed from the cache after the timeout expires< br />
ether_ Addr
specifies the physical address< The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device, so as to ensure the communication
based on the working characteristics of ARP protocol, hackers constantly send fraulent ARP packets to the other computer. The packets contain the MAC address that is repeated with the current device, which makes the other computer unable to carry out normal network communication e to simple address repetition errors when responding to messages. Generally, there are two phenomena in ARP attacked computers:
1. Pop up the dialog box of "the hardware address of XXX segment of the local computer conflicts with the address of XXX segment of the network"
2. The computer can't access to the Internet normally, resulting in the symptoms of network interruption
because this attack uses ARP request packets to "cheat", the firewall will mistakenly think that it is a normal request packet and will not intercept it. Therefore, the ordinary firewall is difficult to resist this attack.
10. ARP, address resolution protocol, by following the protocol, as long as we know the IP address of a machine, we can know its physical address. In the TCP / IP network environment, each host is assigned a 32-bit IP address, which is a logical address to identify the host in the Internet. In order for the message to be transmitted on the physical network, the physical address of the destination host must be known. In this way, there is the problem of address translation from IP address to physical address. Taking the Ethernet environment as an example, in order to correctly transmit messages to the destination host, the 32-bit IP address of the destination host must be converted into the 48 bit Ethernet address. This requires a set of services in the interconnection layer to translate IP addresses into corresponding physical addresses. This set of protocols is ARP protocol
in every computer with TCP / IP protocol, there is an ARP cache table. The IP address in the table corresponds to the MAC address one by one, as shown in the attached table
attached table
take host a (192.168.1.5) sending data to host B (192.168.1.1) as an example. When sending data, host a will look for the target IP address in its ARP cache table. If it is found, the target MAC address will be known. Just write the target MAC address into the frame and send it; If the target IP address is not found in the ARP cache table, host a will send a broadcast on the network, and the target MAC address is "FF. FF. FF. FF. FF". This means to send such a query to all hosts in the same network segment: "I am 192.168.1.5, and my hardware address is & quot; FF.FF.FF.FF.FF.FE". What is the MAC address with IP address 192.168.1.1? " Other hosts on the network do not respond to the ARP query. Only when host B receives this frame, it makes such a response to host a: "the MAC address of 192.168.1.1 is 00-aa-00-62-c6-09". In this way, host a knows the MAC address of host B, and it can send information to host B. At the same time, a and B also update their ARP cache tables (because a tells B their IP and MAC addresses together when asking). Next time a sends information to host B or B to a, it is OK to directly search from their respective ARP cache tables. ARP cache table adopts aging mechanism (that is, TTL is set). In a period of time (generally 15-20 minutes), if a row in the table is not used, it will be deleted. This can greatly rece the length of ARP cache table and speed up the query speed
arp attack is to achieve ARP spoofing by forging IP address and MAC address, which can generate a large amount of ARP traffic in the network and block the network. As long as the attacker continuously sends forged ARP response packets, the IP-MAC entry in ARP cache of the target host can be changed, resulting in network interruption or man in the middle attack
arp attack mainly exists in LAN network. If a person in LAN infects ARP Trojan horse, the system that infects the ARP Trojan horse will try to intercept the communication information of other computers in the network through ARP spoofing, which will cause the communication failure of other computers in the network< The working principle of RARP is as follows:
1. The sending host sends a local RARP broadcast. In this broadcast packet, it states its own MAC address and requests any RARP server that receives the request to assign an IP address
2. After receiving the request, the RARP server on the local network segment checks its RARP list to find the IP address corresponding to the MAC address
3. If it exists, the RARP server will send a response packet to the source host and provide the IP address to the other host for use
4. If it does not exist, the RARP server will not respond to it
5. The source host receives the response information from the RARP server and uses the IP address to communicate; If the response information of RARP server has not been received, it indicates that initialization failed
6. If ARP virus attacks in 1-3, the response made by the server will be occupied, and the source host can not get the response information of the RARP server. At this time, it is not that the server does not respond, but the IP of the source host returned by the server is occupied.
in every computer with TCP / IP protocol, there is an ARP cache table. The IP address in the table corresponds to the MAC address one by one, as shown in the attached table
attached table
take host a (192.168.1.5) sending data to host B (192.168.1.1) as an example. When sending data, host a will look for the target IP address in its ARP cache table. If it is found, the target MAC address will be known. Just write the target MAC address into the frame and send it; If the target IP address is not found in the ARP cache table, host a will send a broadcast on the network, and the target MAC address is "FF. FF. FF. FF. FF". This means to send such a query to all hosts in the same network segment: "I am 192.168.1.5, and my hardware address is & quot; FF.FF.FF.FF.FF.FE". What is the MAC address with IP address 192.168.1.1? " Other hosts on the network do not respond to the ARP query. Only when host B receives this frame, it makes such a response to host a: "the MAC address of 192.168.1.1 is 00-aa-00-62-c6-09". In this way, host a knows the MAC address of host B, and it can send information to host B. At the same time, a and B also update their ARP cache tables (because a tells B their IP and MAC addresses together when asking). Next time a sends information to host B or B to a, it is OK to directly search from their respective ARP cache tables. ARP cache table adopts aging mechanism (that is, TTL is set). In a period of time (generally 15-20 minutes), if a row in the table is not used, it will be deleted. This can greatly rece the length of ARP cache table and speed up the query speed
arp attack is to achieve ARP spoofing by forging IP address and MAC address, which can generate a large amount of ARP traffic in the network and block the network. As long as the attacker continuously sends forged ARP response packets, the IP-MAC entry in ARP cache of the target host can be changed, resulting in network interruption or man in the middle attack
arp attack mainly exists in LAN network. If a person in LAN infects ARP Trojan horse, the system that infects the ARP Trojan horse will try to intercept the communication information of other computers in the network through ARP spoofing, which will cause the communication failure of other computers in the network< The working principle of RARP is as follows:
1. The sending host sends a local RARP broadcast. In this broadcast packet, it states its own MAC address and requests any RARP server that receives the request to assign an IP address
2. After receiving the request, the RARP server on the local network segment checks its RARP list to find the IP address corresponding to the MAC address
3. If it exists, the RARP server will send a response packet to the source host and provide the IP address to the other host for use
4. If it does not exist, the RARP server will not respond to it
5. The source host receives the response information from the RARP server and uses the IP address to communicate; If the response information of RARP server has not been received, it indicates that initialization failed
6. If ARP virus attacks in 1-3, the response made by the server will be occupied, and the source host can not get the response information of the RARP server. At this time, it is not that the server does not respond, but the IP of the source host returned by the server is occupied.
Hot content