Hello friends . I am posting this article just to make my readers familiar with some of the most basic yet misunderstood terms of Computer networks. I recently came across one of my blog followers who was having trouble with these terms . Not only he , in fact many of us face these problems . The issue is that we straight away jump into using tools and learn quickly from the various technical papers available over the net but we tend to forget the basics of networks and these three terms are used most frequently . I am starting with this basic article as I am trying to build a solid ground to explain my readers what exactly is ment my ARP flooding/ARP spoofing . This is the most deadly wiresless LAN hack currently in practice. There are plenty of tools available to launch the attack but we should understand the basics of networks so that we can understand the attack well and then apply relevant security measures. Later on I will post a tutorial on ARP spoofing using Cain and Abel.
The Basics :
You must be familiar with the term IP address( if you are not then you are on the wrong site buddy) . Just like your home has a mailing address in the same way computers or devices connected over the internet have a mailing address called the IP address . It can either be static or dynamic. In case its static then it will remain unchanged everytime you connect to a network and if its dynamic then a local DHCP server grants you a new IP address everytime you connect to internet.
So with machines coming and going on networks, and IP addresses ever changing, how do other computers on your network find Redbeard? The secret (well, not really a secret; just a fact that veteran administrators know so well, they forgot to tell you) is this: every networked device actually has two addresses. One is the IP address, which might or might not change. The other is the MAC address, which typically does not change.
When you connect a computer to your Ethernet LAN, do you know what you're plugging the Ethernet cable into? From the outside, it looks like you're plugging it into a metal case, but you're not. Inside the case is a Network Interface Card (NIC). A NIC is a special hardware card within any networked device (computer, printer, router, etc.) that handles all the technical aspects of sending and receiving data packets over a computer network.
Like your mailing address at home, your computer's NIC has a unique address. This address must be unique in all the world. Otherwise, network traffic couldn't find its way to the right computer.
The distinctive address that identifies a NIC is called the Media Access Control (MAC) address. A MAC address is a unique character string, and since it identifies a specific physical device -- one individual NIC -- the MAC address, by convention, never changes for the life of the NIC. Two NICs never have the same MAC address (unless some manufacturer screws up royally [which has happened]). Because your NIC's MAC address is permanent, it's often referred to as the "real," or physical, address of a computer.
A MAC address is formatted as a six-byte, hexadecimal number, like this:
So why do we need IP when we have MAC?
Good question (by me) . Actually MAC address are fixed so they cant be changed hence they are not as scalable compared to IP address. IP address have several other features like subnetting and supernetting which gives a logical understanding of the presence of a machine in a network. These facilities are not with the MACaddress.
Also MAC address are not routable . The Internet Protocols will not treat them as an address of a source or destination . Hence IP address in many ways simplifies our task.
The malleable IP address gives your network some flexible manageability. The never-changing MAC provides a specific, reliable address for a physical device.
Or you could say, we have the long and the short of it. IP addresses route a packet across the whole global Internet, while MAC addresses help the packet make the small, local hop between hardware devices. Sophisticated networking is possible because each of your networked devices has both a MAC and an IP address.
So what next good question comes to our mind? How MAC and IP co-ordinate?
Lets bring ARP(address resolution protocol)
The lamest definition that we study in local networking books is - network layer protocol that is used to convert IP address into MAC address.(absolutely true)
Lets talk cool now -
We began by wondering, "How do devices on a local network become aware of one another?" NICs and MACs are important pieces of the answer, but your network must learn to pair a MAC address with the IP address for the same machine. It does so using a technique called Address Resolution Protocol.
Think of ARP as network roll call. Remember the first day of your college/school? At the beginning of class, the teacher called from a list of names, expecting you to reply when she called yours. She did this to associate your name with your face. Every student heard every name, but answered only to his or her own name. ARP uses a similar technique to associate an IP address to the MAC address.
Let's assign Abhinav the IP address, 192.168.39.101, and suppose his NIC has the MAC address, 00:A0:24:30:2E:13. And suppose he need to send a file to Jaya or more literally, to her computer. When Abhinav attempts to send jaya a file, Abhinav first obtains Jaya's IP address. Upon seeing that the IP address is local (on the same subnetwork), Abhinav knows he is capable of sending the file to her destination, if he learns the "real" (MAC) address associated with that IP address. To learn the MAC address, Abhinav does what your teacher did on the first day of school/college. He calls out to the entire local network asking that the computer with the IP in question reply "Here!" with a MAC address.
Let's say that Jaya has the IP, 192.168.39.148. To find the MAC address for Jaya, Abhinav would send the following (simplified) ARP request:
(Abhinav's MAC address)
|00:A0:24:30:2E:13||FF:FF:FF:FF:FF:FF||Who has 192.168.39.148?|
Notice the special address in the "To" field above. That special address (all Fs) is the MAC broadcast address. Anything sent to that address goes to every computer on LAN segment. All those computers receive the message, but ignore it, because it doesn't pertain to them -- with the exception of Jaya. Because Jaya is 192.168.39.148, she replies with her MAC address, like this:
(Jaya's MAC address)
(Abhinav's MAC address)
|00:A0:24:30:4C:23||00:A0:24:30:2E:13||I have 192.168.39.148|
This is how Abhinav will finally succeed in finally sending his file (not a love letter) to Jaya after identifying her MAC or physical address.
In short Abhinav ARPed Jaya.
Here is a picture to demonstrate this process.
Having successfully ARPed, Abhinav stashes the newly-learned MAC/IP pair in an ARP cache. The ARP cache is a small segment of memory your computer reserves to temporarily store a table of MAC addresses and their associated IP addresses. Your computer keeps this table for efficiency so that it doesn't have to keep broadcasting ARP requests to computers it has already queried. If Abhinav needs to send something else to Jaya soon(maybe a loveletter this time), Abhinav will obtain Jaya's MAC address from his own ARP cache.
Hope this will clear most of your doubts relating to networks basics . This is an important tutorial for those who are trying their hands on wireless LAN hacking . A small basic knowledge can help you fix big problems . The focus of my next article will be to deal with ARP poisoning.
You can add your doubts and suggestions below.