1.基本原理
地址解析協議,即ARP(Address Resolution Protocol),是根據IP地址獲取物理地址的一個TCP/IP協議。主機發送信息時將包含目標IP地址的ARP請求廣播到網絡上的所有主機,並接收返回消息,以此確定目標的物理地址;收到返回消息後將該IP地址和物理地址存入本機ARP緩存中並保留一定時間,下次請求時直接查詢ARP緩存以節約資源。地址解析協議是建立在網絡中各個主機互相信任的基礎上的,網絡上的主機可以自主發送ARP應答消息,其他主機收到應答報文時不會檢測該報文的真實性就會將其記入本機ARP緩存;由此攻擊者就可以向某一主機發送偽ARP應答報文,使其發送的信息無法到達預期的主機或到達錯誤的主機,這就構成了一個ARP欺騙。ARP命令可用於查詢本機ARP緩存中IP地址和MAC地址的對應關系、添加或刪除靜態對應關系等。相關協議有RARP、代理ARP。NDP用於在IPv6中代替地址解析協議。
2.arp命令
arp命令用來管理ARP緩存
arp -v 詳細模式
$ arp -v
Address HWtype HWaddress Flags Mask Iface
xxxxx ether 00:12:da:46:34:00 C eth0
10.1.1.17 ether 00:16:3e:f2:38:33 C eth1
10.1.1.12 ether 00:16:3e:f2:37:6b C eth1
Entries: 3 Skipped: 0 Found: 3
arp -n 顯示數字地址
$ arp -n
Address HWtype HWaddress Flags Mask Iface
xxxxxxxx ether 00:12:da:46:34:00 C eth0
10.1.1.13 ether 00:16:3e:f2:37:7d C eth1
10.1.1.18 ether 00:16:3e:f2:38:35 C eth1
arp -a 查看指定主機的IP和MAC對應關系,默認顯示全部
$ arp -a
? (xxxxxxxxx) at 00:12:da:46:34:00 [ether] on eth0
? (10.1.1.13) at 00:16:3e:f2:37:7d [ether] on eth1
? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1
[gintama@gintama-taiwan-lb1 ~]$ arp -a 10.1.1.18
? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1
arp -d 刪除指定主機的IP和MAC對應關系
$ sudo arp -d 10.1.1.18
arp -i 只顯示指定網卡的IP和MAC對應關系
$ arp -i eth0
Address HWtype HWaddress Flags Mask Iface
xxxxxxxxxxxxx ether 00:12:da:46:34:00 C eth0
$ arp -i eth1
Address HWtype HWaddress Flags Mask Iface
10.1.1.13 ether 00:16:3e:f2:37:7d C eth1
10.1.1.18 ether 00:16:3e:f2:38:35 C
arp -s hostname hw_addr, --set hostname 手動設置IP和MAC的對應關系
$ sudo arp -s 10.1.1.18 00:16:3e:f2:38:35
3.arping命令
arping [ -AbDfhqUV] [ -c count] [ -w deadline] [ -s source] -I interface destination
想目標主機發送ARP請求
-A 使用ARP REPLAY替代ARP REQUEST報文
$ sudo arping -A -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 627.781ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 988.125ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 827.356ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 837.510ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 303.940ms
-b 只發送MAC層面的ARP廣播報文,正常情況下,arping先以發送ARP廣播報文方式啟動,當收到ARP REPLY報文後就轉成單播
$ sudo arping -b -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.764ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.843ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.744ms
-c 指定發送ARP REQUEST報文個數.如果再指定-w參數,arping將一直等待ARP REPLY報文,直到超時時間截止
$ sudo arping -c 5 -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.771ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.744ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.741ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.806ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.731ms
Sent 5 probes (1 broadcast(s))
Received 5 response(s)
-w deadline
以秒為單位指定超時時間。
-D 重復地址檢查模式
$ sudo arping -D 10.1.1.200
ARPING 10.1.1.200 from 0.0.0.0 eth0
Unicast reply from 10.1.1.200 [00:16:3E:F2:37:6B] 0.692ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
-I 指定發送ARP REQUEST的網卡
-s 指定源地址
如果使用DAD模式,設置成為0.0.0.0
如果使用Unsolicited ARP mode,設置成為目的地址
其他情況下,根據路由表計算
4.阻止ARP flux
ARP協議用於將IP地址轉換成為物理地址,默認情況下,擁有多塊網卡的Linux主機會響應該主機的任意網卡上接收到的任意網卡上綁定的IP地址的ARP請求。
假設一台Linux主機擁有兩塊網卡A和B,IP地址和MAC地址分別是
主機A
IP 10.10.41.102
MAC 08:00:27:4B:63:93
主機B
IP 10.10.41.142
MAC 08:00:27:47:78:55
現在使用arping命令分別向兩個IP發送ARP REQUEST
$ sudo arping 10.10.41.142
ARPING 10.10.41.142 from 10.10.41.17 eth0
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.721ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.774ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 2.626ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.174ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.164ms
^CSent 5 probes (1 broadcast(s))
Received 5 response(s)
$ sudo arping 10.10.41.102
ARPING 10.10.41.102 from 10.10.41.17 eth0
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.988ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.266ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.478ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.243ms
^CSent 4 probes (1 broadcast(s))
Received 4 response(s)
可以看到10.10.41.142這個IP返回的不是它該有的MAC地址
