Friday, August 3, 2012

NETCUT ARP exploitation, how it works, how to avoid



Well, lets see, who doesn’t know about netcut ? Netcut has been around for sometimes as a handy little tools to wreak havoc on local computer networks and disable the victim from connecting to the internet. But how exactly is this things works ? what does it have to do with ARP ? what is ARP anyway ? I’ll give out a brief explanation on this topic, keep reading

Okay, what is ARP ?

The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host’s Link Layer or hardware address when only its Internet Layer (IP) or Network Layer address is known. Thats what wiki said. In simple explanation, its a method for a machines that connected to the local network to determine a PC location only using its IP.

How ARP works ? How the hell it is exploitable anyway ?

Okay, networking 101, we all know that when a PC, lets say, PC-A (192.168.1.1), wants to send a package to PC-B which has IP 192.168.1.2, then PC-A won’t be able to unless PC-A know what is PC-B machine address (MAC ADDRESS). The first thing it will do is asks the whole network, who has IP 192.168.1.2, and eventually PC-B will answer its call like “Hey, I am 192.168.1.2, my MAC are 1f:00:24:12:22“. After that, the package then sent to PC-B.

Eventually, without even being asked, a PC can sent a package which broadcast that he is what he is. Its like “Hey, I am PC-C, my IP is 192.168.1.3 and my MAC Address is 1f:00:24:12:23“. All the other PC on the network will keep the record on a cache called ARP Table. The problem is, they won’t authenticate the validity of the broadcasts. They will just accept the broadcast and update its ARP Table.

That being said, now here comes the dirty thing.

What will happen if suddenly PC-D with IP 192.168.1.4 claimed and sent an ARP package saying that he is PC-B ? well, PC-A will just believe it and send the package to PC-D instead. IT IS EXPLOITABLE!

So, how netcut works then ?

I will explain on simple analogy based on our PC above, with additional PC-Z as a gateway with IP 192.168.1.254
PC-Z 192.168.1.254 knows in its ARP Table that PC-B has MAC 1f:00:24:12:22
PC-B 192.168.1.2 knows that PC-Z has MAC 1f:00:24:12:99
PC-C 192.168.1.3 is the attacker, he sent ARP package to PC-Z saying that he is 192.168.1.2 with MAC1f:00:24:12:23
PC-Z believed so, and he will save that PC-B has MAC 1f:00:24:12:23
PC-C sent another ARP package to PC-B, saying he is 192.168.1.254 with MAC 1f:00:24:12:23
PC-B believed so, and he will save that PC-Z has MAC 1f:00:24:12:23
By then, every traffic from B -> Z and Z -> B will go through C, so C can do everything he wanted with the package, whether its blocking it completely (Packet Poisoning), or altering it (Packet Injection).

So, what netcut did, was simply lying to both PC-B and PC-Z, then render PC-B unable to connect to the internet completely.

How do we avoid netcut arp exploitation then ?

So far, what we can do against this kind of attack is to make our ARP Table static, and read only. That so if an ARP package or ARP broadcasts comes, then our machines will ignore it.

There are a lot of small tools out there like Anti-ARP for Windows platform and ARPOn for Linux.

Manually in linux, make a record of static ARP so it won’t need to ask around to find the right address for the right package using ARP command :
?

1
arp -v [-t hardwaretype] -s hostname hardwareaddress


We can also use ARPTABLES, a package to maintain package filter rule, do it in root mode or just use sudo, make sure you already have package arptables installed.
?

1
2
3
4
arptables -P INPUT DROP
arptables -P OUTPUT DROP
arptables -A INPUT -s ip.of.gateway.machines --source-mac macaddress:of:gateway:machines -j ACCEPT
arptables -A OUTPUT -d ip.of.gateway.machines --destination-mac macaddress:of:gateway:machines -j ACCEPT


In windows, we can use either netsh or arp.
?

1
netsh -c "interface ipv4" set neighbors "Connection_name" "A.B.C.D" "XX-XX-XX-XX-XX-XX"

?

1
arp -s 10.0.0.200 00-10-54-CA-E1-40


Conclusion

ARP is still exploitable, even with our arptable being static, there are a lot of way to exploit this, I will explain later on another articles. The paranoid way to avoid netcut is by firing up Wireshark or Ettercap and let them sniff the network, so if ever a spoofer or attacker comes in duty, you can take the action necessary, whether its calling out the network administrator, or just slap the attacker in the face, or just spill a hot coffee on their laptop, that would be nice. Anyway, objections, corrections and comments are always welcome
Incoming search terms:
how netcut works
how does netcut work
how netcut work
what is netcut
how to avoid netcut
how to netcut
netcut how does it work
avoid netcut
netcut linux
how net cut works

No comments:

Post a Comment