Netcut ARP exploitation, how it works, how to avoid by apronouva


How netcut and arp exploitation works, how to block it

More Info
									                                                       Insomnity, creativity never sleeps. A web sites about                                   SEARCH
                                                       articles, tutorials, and tips on Open Source, Design,
                                                       Programming and Technology. We also offer professional
                                                       services on web development and design, covers digital
                                                       media and printed media.


NETCUT ARP exploitation, how it works, how to avoid
by fath on May 23, 2011 • 12:57 am • Edit entry                                                                                                           1 Comment

Well, lets see, who doesn’t know about netcut ? Netcut has been around for sometimes as a handy little tools to wreak havoc on local computer networks and
disable the victim from connecting to the internet. But how exactly is this things works ? what does it have to do with ARP ? what is ARP anyway ? I’ll give out a
brief explanation on this topic, keep reading

Okay, what is ARP ?

The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host’s Link Layer or hardware address when only its Internet
Layer (IP) or Network Layer address is known. Thats what wiki said. In simple explanation, its a method for a machines that connected to the local network to
determine a PC location only using its IP.

How ARP works ? How the hell it is exploitable anyway ?

Okay, networking 101, we all know that when a PC, lets say, PC-A (, wants to send a package to PC-B which has IP, then PC-A won’t be
able to unless PC-A know what is PC-B machine address (MAC ADDRESS). The first thing it will do is asks the whole network, who has IP, and
eventually PC-B will answer its call like “Hey, I am, my MAC are 1f:00:24:12:22“. After that, the package then sent to PC-B.

Eventually, without even being asked, a PC can sent a package which broadcast that he is what he is. Its like “Hey, I am PC-C, my IP is and my MAC
Address is 1f:00:24:12:23“. All the other PC on the network will keep the record on a cache called ARP Table. The problem is, they won’t authenticate the validity
of the broadcasts. They will just accept the broadcast and update its ARP Table.

That being said, now here comes the dirty thing.

What will happen if suddenly PC-D with IP claimed and sent an ARP package saying that he is PC-B ? well, PC-A will just believe it and send the
package to PC-D instead. IT IS EXPLOITABLE!

So, how netcut works then ?

I will explain on simple analogy based on our PC above, with additional PC-Z as a gateway with IP

   1. PC-Z knows in its ARP Table that PC-B has MAC 1f:00:24:12:22
   2. PC-B knows that PC-Z has MAC 1f:00:24:12:99
   3. PC-C is the attacker, he sent ARP package to PC-Z saying that he is with MAC 1f:00:24:12:23
   4. PC-Z believed so, and he will save that PC-B has MAC 1f:00:24:12:23
   5. PC-C sent another ARP package to PC-B, saying he is with MAC 1f:00:24:12:23
   6. PC-B believed so, and he will save that PC-Z has MAC 1f:00:24:12:23
   7. By then, every traffic from B -> Z and Z -> B will go through C, so C can do everything he wanted with the package, whether its blocking it completely
      (Packet Poisoning), or altering it (Packet Injection).

So, what netcut did, was simply lying to both PC-B and PC-Z, then render PC-B unable to connect to the internet completely.

How do we avoid netcut arp exploitation then ?

So far, what we can do against this kind of attack is to make our ARP Table static, and read only. That so if an ARP package or ARP broadcasts comes, then our
machines will ignore it.

There are a lot of small tools out there like Anti-ARP for Windows platform and ARPOn for Linux.

Manually in linux, make a record of static ARP so it won’t need to ask around to find the right address for the right package using ARP command :

  1     arp -v [-t hardwaretype] -s hostname hardwareaddress                                                                                                         ?

We can also use ARPTABLES, a package to maintain package filter rule, do it in root mode or just use sudo, make sure you already have package arptables

  1     arptables    -P    INPUT DROP                                                                                                                                ?
  2     arptables    -P    OUTPUT DROP
  3     arptables    -A    INPUT -s ip.of.gateway.machines --source-mac macaddress:of:gateway:machines -j ACCEPT
  4     arptables    -A    OUTPUT -d ip.of.gateway.machines --destination-mac macaddress:of:gateway:machines -j ACCEPT

In windows, we can use either netsh or arp.

  1    netsh -c "interface ipv4" set neighbors "Connection_name" "A.B.C.D" "XX-XX-XX-XX-XX-XX"                                                                               ?

  1    arp -s 00-10-54-CA-E1-40                                                                                                                                   ?


ARP is still exploitable, even with our arptable being static, there are a lot of way to exploit this, I will explain later on another articles. The paranoid way to avoid
netcut is by firing up Wireshark or Ettercap and let them sniff the network, so if ever a spoofer or attacker comes in duty, you can take the action necessary,
whether its calling out the network administrator, or just slap the attacker in the face, or just spill a hot coffee on their laptop, that would be nice. Anyway,
objections, corrections and comments are always welcome

                                                                                                                                      © 2002-2011 Insomnity. All Rights Reserved.


To top