I want to send a packet to another machine but with a different MAC address in the ethernet header. For this I am using raw sockets in C and creating my own ethernet header so that I can set the source MAC as desired. The trouble is that I am not sure what destination MAC address to fill in the header. I know the IP of the destination machine but not the MAC. Even if I knew, I don't want to hardcode this MAC.
One option I see is that my machine would know the MAC in its ARP table and I could read it and get the MAC address and fill it in. But doing this before sending each packet is overhead. I could read it once and keep using but what if some day the destination machine gets replaced. The admin would assign the same IP address to the new machine but the MAC address would be different. Probably when the new machine boots up, it would send a Gratuitous ARP and my machine would update its ARP table. But my program wouldn't know this. My program would keep sending packets with old MAC.
I feel I am missing something very basic. Thoughts?
What you are seeing here is the same problem that everyone faces, who tries to implement a network stack.
You have several options:
If the packet is a reply packet, then just use the MAC address of the from address
You can maintain an own arp-table and send a arp request if the entry in your table is missing or outdated. Parse arp replies and update your table accordingly. Packets to be sent without a valid arp table entry have to be queued. This is the most elegant, but also a very demanding option.
You can simply send the packet to the MAC of your local router. It will forward the packet to the correct host specified in the IP header. If your local router employs protocols like vrrp, hsrp or gblp, then the MAC address is always the same and doesn't change, even if your router is replaced.
You can read the MAC address from /proc/net/arp or with ioctl(SIOCGARP, ...);, but the entry for the IP you are looking for might not be present, if your host hasn't tried to communicate with it recently. You could, of course, send a dummy packet with sendto(); to that host before reading the arp table.
If you describe in more detail what you are planning to do, the suggestions might get better.
You can set the MAC address for the device with SIOCSIFHWADDR ioctl request. The manual for netdevice is a good starting point for this.
Related
This is a follow-up to my previous question: ARP reply packet does not update ARP cache on Ubuntu. It turned out that my problem was that I was using an arbitrary MAC address as my source MAC (ie. one that doesn't exist on my network, say aa:bb:cc:dd:ee:ff). I could send ARP replies to poison my cache with no problem as long as my source MAC matches with the MAC of my NIC. I tried to manually set my NIC to have an arbitrary MAC address, then send ARP replies using that as my ARP packet's source MAC - also worked.
I am wondering if anybody knows the inner workings of this. Was there some kind of check that prevents packets with mismatched source MAC from being sent? Was it a check between the source MAC of the Ethernet frame vs. the source MAC of the ARP packet? And for the purpose of an experiment that I'm running, is there a way to bypass this restriction?
JY
Various optimizations are possible to make ARP work more efficiently.
To start with, once a machine has run ARP, it caches the result in
case it needs to contact the same machine shortly. Next time it will
find the mapping it its own cache, thus eliminating the need for a
second broadcast. In many cases, host 2(receiver) will need to send
back a reply, forcing it, too, to run ARP to determine the sender's
Ethernet address. This ARP broadcast can be avoided by having sender
include its IP-to-Ethernet mapping in the ARP packet.
Quoted from Tanenbaum's Computer Networks, fifth Edition p486-487
So it looks like your receiver fails to resolve MAC of the sender. And Tanenbaum presented a solution to you to avoid this failure.
Was there some kind of check that prevents packets with mismatched
source MAC from being sent? Was it a check between the source MAC of
the Ethernet frame vs. the source MAC of the ARP packet?
You mention Ubuntu. In Linux, you can send any Ethernet frame (see examples), so internally there is no any kind of such check. But you did not tell how do you attempt to send the spoofed ARP messages; maybe the way you are doing it is limiting your options for the source MAC address.
So after I have played with the Network Spoofer developed by Digitalsquid (http://digitalsquid.co.uk/netspoof/), I have been trying to get a better understanding of its internal working by writing a c program that does something similar.
My program currently takes in 4 parameters - source ip, source mac, victim ip, and victim mac - and send an ARP reply packet with them. When testing the program on my home network, I would do something like setting the source ip to be the router's ip, source mac to be something bogus, victim ip to be my laptop's ip, and victim mac to be my laptop's wireless card mac.
The problem is, although I can see the packet being sent/received from monitoring the wireless card using tcpdump (ie. I would see something like "01:43:23.656745 ARP, Ethernet (len 6), IPv4 (len 4), Reply rouer-ip is-at bogus-mac-address, length 28", which is just what I expected), the ARP cache entry for the router stays the same (ie. still has the correct mac address).
I am not quite sure what the problem here is, and why I couldn't poison my ARP cache. I read somewhere that it could be my OS, Ubuntu 12.04, dropping the unsolicited ARP packets, so I tried to set /proc/sys/net/ipv4/conf/wlan0/arp_accept to 1 - no luck. I also tried to turn IP forwarding on (setting /proc/sys/net/ipv4/ip_forward to 1) as suggested by another article, and still had no luck.
I would really appreciate if somebody can give me some pointers/hints as to what the problem might be. Also, please correct me if I had a mistake in my understanding - I am quite new in the realm of c programming and ARP spoofing.
Thanks!
JY
Its good to take these arguments(source ip,source mac,target ip and target mac),but you are not giving correct values to it.
suppose A=the victim
and B=Gateway/Router/Switch in your network
ARP spoofing is actually convincing both A and B
You need to be more active in sending ARP request/reply to both A and B by giving your MAC address to be desired node.
So that whatever A/B sends will come to you first.
IP and MAC address fields are basically updated in CAT(content Addressable Memory) table of switch which keeps on updating time to time.
So when you are sending ARP Reuest to A(i.e Router/Gateway/Switch):-
Source IP=Victim's IP i.e A
Source MAc=your MAC(hackers MAC) so that data may come to your system
Destination IP=Rouer's IP
Detination MAC will be blank in case of ARP request
I am trying to find out mac address of a machine in a switched environment after sending it a raw packet. I am trying to implement traceroute command . I want to know when i receive a ICMP time exceeded message how can I extract the mac address of that machine . I am a new to network programming so am confused what socket call will help me to extract the mac address.
Thanks .
No, you can not extract MAC address from ICMP reply.
You can only determine MAC addresses of linked machines next to you. In ICMP(tracert) you can just find out the IP address of target or middle machine.
If you want to detect MAC addresses, you should use ARP protcols where it's applicable in local networks not Internet.
ICMP protocol starts after IPv4 header[1] and MAC addresses is related to physical/link layer. In low level layers the MAC addresses will transparent from top level layers such as network(IP) or Transmission,...
To determining MAC addresses, you should use Raw sockets or PCAP SDKs to access lower layers of network programming. (I say again, these are not useful over Internet)
Like Masoud M said, you can only get the MAC address of machines that are on your local network. That said, you can parse the output the arp command to find the MAC address given the IP address of a machine one your local network.
In general, on internet, you don't even know the media a host is using for transmitting packets. Let's suppose a remote host is conected over a serial rs-232-C link with PPP protocol. It doesn't have a mac address. This also happens for example if the host uses a token ring interface or frame relay link. This makes determining the remote mac addresses of hosts a local issue completely. Normally, when you get a packet from a remote site over ethernet, the source mac addres you get in the packet is the one of the last router that links you to the internet, not the one of the original host that sent the IP packet. In the RFC on IP over avian carriers (rfc1149, rfc2549 and rfc6214) the media used for transmission doesn't allow to use mac addresses (the link address, if somewhat feasible on a pidgeon could be, would be its name)
If you want to read about traceroute on ethernet network of switches, perhaps you had to have a look at the IEEE802.1ag, that has an specification to do tracerouting over switches (tracelink service) but I think is far over the scope of this answer.
Please don't criticise the solution. It's not my design and yes, it sucks.
On a computer running Linux, and using C, we need to verify that a TCP connection made to a process is from the same machine. Doing it by IP address is problematic since the OS is generating two IP addresses and the process only knows one. Anyway, verifying by IP address is a bit poor.
We want to do the verification by comparing the "remote" MAC address to the local MAC address. We already get the local MAC address. All I need to know is how to get the "remote" MAC address. It's in the packet that gets sent when forming the connection (and in all subsequent ones too). How do we drag it out of the ethernet layer?
Before anyone says this again, I KNOW you cannot get the MAC address of the remote host if it's not on the same subnet/LAN. That's fine. Presumably we'll get something like 00:00:00:00:00:00 and since that is different to the local MAC address it will be different - just what we want.
--
So, to summarise, we have a TCP connection socket fd, we've received a data packet, how do we then find the MAC address of the remote host, the MAC address that was in the packet's header?
If I understand correctly, you are not trying to tell remote machines apart, but to use the idea that the source and destination MAC would match on traffic sent from a machine to itself in order to allow only local traffic.
This seems rather roundabout, and has been pointed out, insecure.
A somewhat better idea might be to have the TCP client listen only on the loopback interface (127.0.0.1) and not on INADDR_ANY. Or go a step further and use a unix-domain socket instead of a TCP one (a common method used by X servers today to prevent the possibility of remote connections)
The MAC address of a live same-subnet TCP connection will almost certainly be in the ARP cache.
On Linux, you could examine the ARP cache by looking in /proc/net/arp. Here is what it looks like on my Ubuntu box:
aix#aix:~$ cat /proc/net/arp
IP address HW type Flags HW address Mask Device
10.0.0.32 0x1 0x2 00:1e:4f:f5:be:dc * eth0
10.10.10.1 0x1 0x2 00:1f:6c:3e:02:e3 * eth0
There's probably some callable API that you could use to get to the same data if you're averse to parsing the pseudo-file.
How about configuring a firewall (internal or external) to block or MAC-filter external traffic on the port in question?
A loopback connection (whether it's over the loopback interface or some other interface) it not routed over any ethernet device and therefore does not have a MAC address associated with it.
I suggest you just use getsockname and getpeername to get the local and remote IP address and compare that they are equal. That will work without any a priori knowledge of the configured IP addresses of your system.
Further, if you want to be IPv4/v6 agnostic, you could use getnameinfo with the NI_NUMERIC flag to convert both addresses to numeric string representations and strcmp them.
I have started coding a packet injector and read up a bit on what one has to do. One thing I'm wondering though is when I create the IP header the h_source and h_dest fields should contain the mac address of the sender and receiver. Do I have to do this and is there a quick way to find out the mac address of the destination? Let's say I craft a ICMP ping packet or some arbitrary TCP packet. Would be nice to just be able to say "send it to 192.168.0.10 from 192.168.0.1" and not having to care about the mac addresses. I guess the kernel normaly fills this in but letting it interfere here would not allow me complete control over the packet.
I'm afraid you've got that wrong, IP has no knowledge of the MAC adress, only the ethernet layer knows that. That's why you need the ARP protocol to determine which mac adress to send an IP packet to. Normally, you know which subnet you belong to, if your destination IP is local, you ARP for the MAC and send it diretly (this is usually done at a much lower level though). If it's not on your local subnet, you ARP for the gateway IP and send it there instead, which will forward it somehow.
The only source and destination present in the IP header are the source and destination IP addresses.
HTH.
EDIT:
For clarification. When sending via the gateway, the IP packet is normally not touched (except TTL, and, because of that, the checksum). There are situations where the IP packet must be fragmented, but that's a different issue. The point is the source and destination addresses remain the same, it's only on the layer below where we're actually saying it should be sent via some gateway or router.
Yes, you will need to fill this in. You can use ARP to determine the MAC address of a given IP address: http://en.wikipedia.org/wiki/Address_Resolution_Protocol