Computer Network Security

UE20CS326
Prof. Prasad H B,
Prof. Preet Kanwal
Unit 2
Lecture 1
 Emergency Exit Assembly Point Washroom

No Chatting Phones on silent No Sleeping

Computer Network Security 2

A Note on Security

☞ In this course, you will be exposed to information about security problems

and vulnerabilities with computing systems and networks.
☞ To be clear, you are not to use this or any other similar information to test
the security of, break into, compromise, or otherwise attack, any system or
network without the express consent of the owner.
☞ In particular, you will comply with all my instructions when doing the labs.
• My instructions are in consonance with applicable laws of India and PES
University policies.
• If in any doubt, please consult your professor!
☞ Any violation is at YOUR RISK!
And may result in severe consequences.
Computer Network Security 3
Data Link Layer (MAC Layer) & Attacks

Computer
ISFCR Executive
NetworkEducation
Security 4
Outline
☞ Introduction
☞ Ethernet Frame and MAC Header
☞ Tracking based on MAC address and Threat to Privacy
☞ Packet’s Hop-by-Hop Transmission
☞ ARP Protocol
☞ ARP Cache Poisoning Attack
☞ MITM Attacks using ARP Cache Poisoning

Computer Network Security 5

Ethernet Frame & MAC Header

What is inside the payload? Specify the type of payload

08 00 -> IP type
08 06 -> ARP type

Payload has a limit (due to hardware limitations)

Lower bound : 46 bytes (To identify the collision of packets and the receiver to
identify whether it is corrupted or not. It is a limitation put by CSMA/CD.

Upper bound : 1500 bytes

Computer Network Security 6
MAC Address

● Each network interface has a unique MAC address (also

known as hardware/physical address).
● Because Ethernet is the most common type of network,
MAC address is also sometimes called Ethernet address.
● MAC address has a six groups of two hexadecimal digits,
typically separated by colons.
Computer Network Security 7
Tracking based on MAC Address
● To prevent two network interfaces on the same network
to have same MAC address, MAC addresses are made
unique and burned into the physical network interface
card while manufacturing.
● Security Problem :
■ Mobile devices keep scanning for nearby Wifi
access points.
■ Even though you are not connecting to these
access points, by scanning you give out the unique
MAC address of your device to the Wifi access
points.
Computer Network Security 8
Threat to Privacy
● If the adversaries have access to data from many Wifi
access points, it has been proven possible that they can
correlate the data and eventually connect the MAC
address to the true identity of the owner.

Computer Network Security 9

Solution : Re-configure the MAC address

Computer Network Security 10

ping google.com (outside your network)

Computer Network Security 11

ping 10.0.2.13 (unknown/new host on same network)

Computer Network Security 12

Packet’s Hop-by-Hop Transmission

Computer Network Security 13

Explanation (1)
● Host A needs to send a packet to B
● It creates an IP header with dst IP as B IP
● Since B is on another network, A will have to ask the
router R1 to forward the packet
● A constructs a ethernet frame with IP object as its
payload, and sets dest MAC address to Router R1
MAC address.
● This ethernet frame is then put on the wire and all
other computers on the network can see this packet.
● NIC of other computers will reject the packet as the
dest is not their device
Computer Network Security 14
Explanation (2)
● Router R1 will accept the packet and see that the dest IP is
B’s IP.
● Since it knows its a router, it performs routing.
● Some routers have multiple NIC, so it must make a decision
to choose the NIC for forwarding the packet.
● This time, R1 creates a ethernet frame with dest MAC
address as R2’s MAC address and its own MAC addr as src.
● R2 will do exactly do the same thing as R1 and forward the
packet to R3, R3 will send to next router and so on.
● Eventually the packet arrives at router Rk which is directly
connected to Host B.
Computer Network Security 15
Explanation (3)
● Rk will create another ethernet frame where source MAC
will be Rk and dest mac will be B’s MAC address.
● B’s NIC accepts the packet as the dest MAC is its MAC.

Summary :
● Same payload keeps changing the vehicle, if you
consider ethernet frame is a vehicle.
● Eventually hop by hop packet will arrive at the receiver
end.

Computer Network Security 16

Note Default Route IP, MAC and Source IP

Computer Network Security 17

Observe Dest MAC and Dest IP (ping google.com)

Default gateway
Hardware address

But dest IP is
142.250.193.142

Computer Network Security 18

The ARP Protocol & Format
☞ Address Resolution Protocol
☞ Layer 2 protocol
☞ Performs IP address to Ethernet
(MAC) address mapping.
☞ Designed to map the address of one
protocol to the address of another
protocol.

Computer Network Security 19

 Check ARP Cache (arp -n)

☞ We can see there is no entry for 10.0.2.15

Pinging 10.0.2.15 for the first time ; observe the packets on Wireshark

Computer Network Security 20

 We can see ARP request and reply packet(ping 10.0.2.15)

☞ Before the ICMP echo requests is sent out, ARP request is sent, Only
after getting the ARP reply, ping will be successful.
Computer Network Security 21
ARP Request Packet(ping 10.0.2.15)

Its a Broadcast!!

Computer Network Security 22

ARP Request (Sender broadcasts who has 10.0.2.15?)
☞ Hardware address length (how many
bytes) - for MAC address it is 6 bytes.
☞ Protocol address length - for IP address
it is 4 bytes.
☞ Operation : ARP request or reply
☞ Green fields : Sender information
■ Completely available and
filled by sender
☞ Blue fields : Receiver information
■ Fill receiver IP
■ ARP request is a Broadcast
(Dest MAC address:
FF:FF:FF:FF:FF:FF)
■ Sender fills the Target MAC
with (00:00:00:00:00:00)

Computer Network Security 23

ARP Reply packet (ping 10.0.2.15)

Computer Network Security 24

ARP Reply (10.0.2.15 replies only to sender)
☞ For ARP reply, sender and receiver
information is swapped, as receiver
is the sender now.
☞ Receiver puts its own IP address and
MAC address in the green fields.
☞ Sends a unicast message to the
original sender.

Computer Network Security 25

ARP Cache - Useful commands
● For optimization purpose, Once the sender gets MAC address of another
host on the same network, the address is saved in the cache for a while. If
the data is already in the cache, it is not going to ask again.
● The cached entry will time out after some time(time out depends on the
system), because the mappings between Mac addresses and IP addresses
aren’t fixed. Especially these days, we have dynamic IP; some computer can
join and can leave, and the same IP address could be assigned to a different
computer. So you cannot just have a fixed mapping. It's going to time out,
but it's gonna be there in the cache for a while.
● Use "arp -n" to see what is in the cache.
● Use "sudo arp -d <ip>" to remove an entry.
● The entry for <ip> is however going to be there, but the information is
gonna disappear(status : incomplete).
Computer Network Security 26
Answer the questions below

What happens when you :

a. ping 1.2.3.4 (non-existing, not on the local network)
b. ping 10.0.2.97 (non-existing, on the local network)

Use the knowledge of ARP, MAC Layer and try to provide an explanation.

Computer Network Security 27

Solution
1. What happens when you ping a host which is on another network?
■ Example : ping 1.2.3.4
■ Check the arp cache before and after the ping
Solution: Since 1.2.3.4 IP is from a different network, ARP will forward the packet to default
gateway MAC address (Observe the ethernet frame Dest MAC address).
In Wireshark we observe, ICMP request packets are sent continuously, however since the IP is
non-existent there is no ICMP echo reply and hence the ping is unsuccessful.
2. What happens when you ping a host which does not exist?
■ Example : ping 10.0.2.97
■ Check the arp cache before and after the ping
Solution :
Before ping : ARP cache does not contain any entry for 10.0.2.97
After ping : An entry for 10.0.2.97 is inserted into the ARP cache but is marked incomplete.
In Wireshark we observe, the sender continuously sends ARP requests for some time,
no icmp packets are exchanged unless the ARP reply is received.

Computer Network Security 28

Answer the questions below

Use icmp_sniff_spoof.py program where you sniff the icmp echo-request

packet and spoof the reply.

Observe the difference of the following two commands, and explain your
observation :
1. ping 1.2.3.4 (non-existing, not on the local network)
2. ping 10.0.2.97 (non-existing, on the local network)

Computer Network Security 29

 Icmp_sniff_spoof.py (run on 10.0.2.13)
1. /usr/bin/python3
2. from scapy.all import *
3.
4. def spoof_pkt(pkt):
5. if ICMP in pkt and pkt[ICMP].type == 8:
6. #Create IP packet with srcIP = destIP and vice-versa
7. IPLayer = IP (src=pkt[IP].dst , dst=pkt[IP].src, ihl=pkt[IP].ihl)
8. #ICMP type = 0 - reply
9. ICMPpkt = ICMP (type=0, id=pkt[ICMP].id, seq= pkt[ICMP].seq)
10. data = pkt[Raw].load
11. #Create the new packet
12. newpkt = IPLayer/ICMPpkt/data
13. print ("*******spoofed reply packet*******")
14. print ("Src IP:", newpkt[IP].src , "Dest IP:", newpkt[IP]. dst)
15. send (newpkt, verbose=0)
16.
17. pkt = sniff (iface="enp0s3", filter='icmp and src host 10.0.2.15', prn=spoof_pkt)

Computer Network Security 30

(on 10.0.2.15) ping 1.2.3.4

Computer Network Security 31

(on 10.0.2.15) ping 10.0.2.97

Computer Network Security 32

Observation
ping 1.2.3.4 (non-existing, not on the local network) -> Sniff and then spoof worked
well!
ping 10.0.2.97 (non-existing, on the local network) -> Sniff and then spoof didn’t
work??
Case 1: You're going to send this pkt to your router. At L2, you're going to put the router's MAC
address in the Ethernet header. If you do not know the MAC address of the router, you can
send ARP, and the router will respond. That's why you're going to see the ICMP.

Case 2: But if you're trying to ping a non-existing host on the same wire, the sender is going to
send out an ARP request to that computer, broadcasting to the network, asking Who has the
MAC address of this IP. Because this computer doesn't exist, nobody's going to reply. Without
the reply, you don't know the MAC address of the recipient. So, you will never send out the
actual echo request. That's why your program, the sniff-and-spoof program works perfectly,
but if you don't see any request, you of course won't spoof a reply.

Computer Network Security 33

 ARP Cache Poisoning Attacks
Purpose:
☞ Poison the cache of the ARP. Poisoning means to inject some of the
fake information, forged information into the cache.
☞ For e.g., if machine B's MAC address is x, map this machine B's mac
address to y, instead of to the original x.
☞ ARP is a very simple protocol at lower layer and the performance is
essential and hence,
☞ Doesn't have the protection mechanism like encryption, integrity
checking type of countermeasure, so it's very simple.
☞ Stateless (doesn’t maintain state after sending a request).
Computer Network Security 34
ARP Cache Poisoning Attacks
Three Different Ways to Update Cache:
☞ ARP Request:
Send out ARP Request which carries sender’s IP and MAC, Receiver
updates its cache based on information provided in the request.
☞ ARP Reply:
When a computer receives an ARP reply, so it doesn't even know that this
reply is the result of a request or not. It blindly accepts it. (stateless)
☞ ARP Gratuitous message:
When a computer first joins a network, it just sends out a broadcast of its
IP and MAC address to everybody.

Computer Network Security 35

Spoofing ARP Messages

ARP() by default the operation (op/opcode) is 1 - ARP request

For ARP reply (opcode/op) is 2.

Computer Network Security 36

DIY TASK 1
Write a program using scapy to create a new fake entry(IP :10.0.2.99,
with MAC : aa:bb:cc:dd:ee:ff) in the ARP Cache of Host A.
Note : 10.0.2.99 is non-existent

Things to ask yourself before you proceed :

a) How can a fake entry be created?
Will a spoofed ARP Request packet do?? Or a spoofed ARP reply
packet do(as ARP is stateless)?.
a) How to create an ARP packet?
It's another type of ethernet packet. Hence,
packet = etherlayer/arplayer
Computer Network Security 37
Create a new fake entry using spoofed ARP Request

Computer
ISFCR Executive
NetworkEducation
Security 38
Create a new entry in the Cache : spoof_arp_request.py

Computer Network Security 39

Output

Computer Network Security 40

Create a new fake entry using spoofed ARP Reply

Computer
ISFCR Executive
NetworkEducation
Security 41
Create a new entry in the Cache : spoof_arp_reply.py

Computer Network Security 42

Output on 10.0.2.15- we see no change in the arp cache!!
Before sending spoofed reply

After sending spoofed reply

Computer Network Security 43

DIY TASK 2
Write a program using scapy to update an existing ARP entry in the
ARP cache of Host A (pick any IP from the ARP cache, take default
router IP for example).

How do you wanna do it?

By sending a spoofed ARP request or reply packet?

Computer Network Security 44

Update an existing entry using spoofed ARP Request

Computer
ISFCR Executive
NetworkEducation
Security 45
Update cache by sending spoofed ARP Request

Computer Network Security 46

Output on 10.0.2.15
Before sending spoofed ARP request

After sending spoofed ARP request

Computer Network Security 47

Update an existing entry using spoofed ARP Reply

Computer
ISFCR Executive
NetworkEducation
Security 48
Update cache by sending spoofed ARP Reply

Computer Network Security 49

Output on 10.0.2.15(for existing ip entry in the cache)
Before sending spoofed reply

After sending spoofed reply

Computer Network Security 50

Observation
The ARP spoof_reply attack will be successful if the entry exists in the
cache. If it doesn't have an entry, then it doesn't accept our spoofed
reply.

That could be because of the particular implementation in this OS.

Computer Network Security 51

Observation
So let us try and ping from the target machine(10.0.2.15) the ip
address which does not exist(10.0.2.67 in our example) in the cache
currently. This will cause the target send out ARP requests, but it will
not receive any reply, since such a machine doesn't exist.

But this step creates an incomplete entry for 10.0.2.67 in the targets
arp cache.

Let us spoof the arp reply where src=10.0.2.67.

Computer Network Security 52

On target machine (10.0.2.15) before sending spoofed reply

Computer Network Security 53

Output on 10.0.2.15
Before sending spoofed reply

After sending spoofed reply

Computer Network Security 54

Conclusion
For the ARP spoofed request, it doesn't matter whether the entry is
in there or not, the target will automatically accept the spoofed
request.

But for the reply and the gratuitous messages, either the spoofed
reply is a response to a legitimate request, or there must already be
an entry in the cache.

Question : How do we make the attack successful by sending

spoofed arp reply, even if an entry in the cache does not exist?

Computer Network Security 55

Question

How do we make the arp spoofed reply cache poisoning attack

successful even if an entry in the cache does not exist?

Computer Network Security 56

Possible answer
Send an additional spoofed packet : spoofed icmp echo request from
fake ip to target ip (This will create an entry in the cache for fake IP)

Next, send arp spoofed reply and the attack will be successful.

Computer Network Security 57

Send spoofed icmp echo request

Computer Network Security 58

Output on 10.0.2.15
Before sending spoofed icmp request

After sending spoofed icmp request

Computer Network Security 59

Now Send spoofed ARP Reply

Computer Network Security 60

Output on 10.0.2.15
Before sending spoofed arp reply

After sending spoofed arp reply

Computer Network Security 61

 Man-in-the-Middle (MITM) Attack
☞ Eavesdropping
☞ Traffic of A to B is redirected to
another computer M, and M is going
to modify this and then send out the
packet to B.
☞ Intercept the traffic by redirecting
your communication to the
middleman, the attacker.
☞ M must be in the same local network.
☞ Main goal : redirect the traffic

Computer Network Security 62

Different ways to redirect the traffic
☞ Different ways to redirect the traffic:
• At Layer 2 – ARP Cache poisoning
• At Layer 3 – ICMP Redirect
• At Application Layer – DNS Cache poisoning

Computer Network Security 63

Man-in-the-Middle Attack (via ARP Cache Poisoning Attack)
☞ Let us assume, A and B are communicating.
☞ The Attacker M will Poison A’s ARP Cache such that the entry
for B will have :
B’s IP address M’s MAC Address

A B Instead of B’s MAC Address.

How can we achieve this??

Computer Network Security 64

 Man-in-the-Middle Attack (via ARP Cache Poisoning Attack)
☞ Let A send a packet to B.
☞ As the ARP cache of A is poisoned, M will
receive the packet.
☞ There are two different scenarios:
• What If M is a router:
• It will perform routing and forwarding
• (To do this, enable IP forwarding).
• What If M is a host:
A B
• The packet will be dropped as Dest IP is
B’s IP and not M’s IP.
☞ How to get the copy of it being a host?
• Turn IP forwarding = 0, Open a Raw socket M
Computer Network Security 65
 Procedure : Man-in-the-Middle Attack (via ARP Cache Poisoning Attack)
☞ Here, we will poison both A’s and B’s ARP
cache so that any message from A → B or
B → A will reach M.
☞ At M, in our program, we will modify the
message only from A → B.
☞ Message from B → A will be forwarded to
A as it is.
☞ Open a raw socket at M.
☞ On M, Sniff the packets between A and B. A B
☞ M modifies the packet where source is A
and then sends a spoofed packet to B
M
Computer Network Security 66
Poison A and B’s ARP Cache by sending spoofed ARP requests

Client Server
$nc -l 10.0.2.14 9090 $nc -l 9090
A B
IP_A : 10.0.2.15 IP_B : 10.0.2.14
MAC_A : 08:00:27:fd:d5:27 MAC_B : 08:00:27:aa:b1:ad

M
IP_M : 10.0.2.13
MAC_M : 08:00:27:bb:77:45

Computer Network Security 67

ARP MITM Attack on netcat

Host B (Server - 10.0.2.14) : $ nc -lv 9090

Host A (Client - 10.0.2.15) : $ nc 10.0.2.14 9090

☞ In our program, we replace the occurrence of kevin with AAAAA (Note

the length of the new string is same as the one replaced)
☞ Why?? (Think !!!)

Note: The entries in the ARP cache may be updated due to some network
activity hence, poison the cache often, for the attack to work.

Computer Network Security 68

 ARP MITM Attack on netcat

Check whether it is from A to B

Take data part from payload

Construct new packet (IP object)

Remove IP & TCP from original IP portion
checksum and
payload to modify
data

Size should be identical -> Sequence

number

From B to A, don’t do anything.

Computer Network Security 69

ARP MITM Attack on telnet
☞ Telnet works differently from Netcat.
☞ In Netcat, whatever you type in the
same line will be sent as one TCP packet
when you hit return.
☞ In Telnet, every time you type a
character, it will be sent out in a single
TCP packet, the server will echo it back.
☞ In code, every alphabet is replaced
excluding the number or a special
character.
Note: Code is similar to the Netcat. The only difference is how you replace the data
part.
Computer Network Security 70
Question: ARP Cache Poisoning
Disclaimer: this is a fiction!

In the 2020 State of Union address, President Trump said the following:
“In 2019, Russian hackers launched many ARP cache poisoning attacks from Russia
against the computer networks inside the White House, but, I can proudly tell you,
under my leadership, we have successfully defeated all of these attacks.”

Then he paused, looking at the audience, waiting for applause.

Do you applaud or not?

Solution: Technically you shouldn’t applaud because ARP cache poisoning attack is
not possible remotely (ARP messages don’t travel beyond the local subnet).

Computer Network Security 71

Countermeasures
☞ Encryption in communication.
• ARP cache poisoning will be successful, but not MITM.
☞ Use tools that monitor ARP cache poisoning attack. (Wireshark)
☞ Use Packet filters to analyze each packet.
☞ Use Static ARP Entries :
• This solution involves a lot of administrative overhead and is only
recommended for smaller networks. It involves adding an ARP entry for
every machine on a network into each individual computer.
• Mapping the machines with sets of static IP and MAC addresses helps
to prevent spoofing attacks, because the machines can ignore ARP
replies. Unfortunately, this solution can only protect you from simpler
attacks.
Computer Network Security 72
Summary
☞ Ethernet Frame & MAC Header
☞ ARP Protocol
☞ ARP Cache Poisoning attack
☞ MITM attack using ARP Cache Poisoning
• ARP MITM Attack on netcat
• ARP MITM Attack on Telnet

☞ Question
☞ Countermeasures

Computer Network Security 73

Hands-on Lab Exercise
Objective of the Lab:
To gain the first hands-on experience on the ARP cache poisoning
attack lab and learn what damages can be caused by such an attack.
Expected Outcome:
At the end of this lab, students will use the ARP attack to launch a
man-in-the-middle attack, where the attacker can intercept and modify
the packets between the two victims A and B.

Computer Network Security 74

 Thank you!

Follow us

isfcr.pesu www.isfcr.pes.edu ISFCR