MAC address and IP address binding policy of hack-vulnerability warning-the black bar safety net

ID MYHACK58:62200611563
Type myhack58
Reporter 佚名
Modified 2006-09-09T00:00:00


1 Introduction

On the“IP address theft”solutions, the vast majority are taking MAC and IP address binding policy, this practice is very dangerous, this article will this problem be explored. Here need to declare that this article is in the pairs of MAC and IP address binding policy security concerns, without any hacking nature.

1.1 why to bind MAC and IP address

Network Security Impact of many factors, IP address theft, or address spoofing is a common and extremely harmful factor. In reality, many network applications are based on IP, such as traffic statistics, Account Control, etc. are the IP address as a flag the user of an important parameter. If someone steals a legitimate address and masquerade as a legitimate user, the network transmission of the data may be destroyed, eavesdropping, or even stolen, causing irreparable loss.

Theft the external network IP address more difficult, because the routers and other network interconnection devices will normally be provided through the respective port of the IP address range, does not belong to the range of IP addresses the packets will not pass these interconnected devices. But if theft is the Ethernet internal the legitimate user's IP address, this network interconnection device apparently powerless.“ Know one foot magic Ridge”, for the Ethernet the internal IP address of the theft, of course, also have the corresponding solution. Binding MAC address and IP address is to prevent internal IP theft of a commonly used, simple, effective measures.

1.2 MAC and IP address binding the principle of

Modify the IP address very easily, and the MAC address stored in the NIC's EEPROM, and the card's MAC address is uniquely determined. Therefore, in order to prevent internal personnel for illegal IP theft(such as theft of the rights of the more popular members of the IP address, to obtain the permissions information), the internal network IP address and MAC address binding, thieves if you modify the IP address, because MAC addresses do not match and the misappropriation of failure: and since the network card MAC address the only certainty, according to the MAC address is identified using the MAC address of the network card, and then find out the illegal embezzlement.

Currently, many units of the internal network, especially the school campus network using MAC address and IP address binding techniques. Many firewalls hardware firewalls and software firewalls in order to prevent the internal network IP address be stolen, but also have built-in MAC address and IP address binding function.

On the surface it seems that binding the MAC address and IP address can prevent the internal IP address of the theft, but in fact since each layer Protocol and NIC driver, etc. to achieve the technical, the MAC address and IP address binding there are large defects, and can not really prevent the internal IP address of the theft.

2 crack MAC and IP address binding policy

2.1 IP address and MAC address description

The existing TCP/IP network is a four-Layer Protocol structure, from bottom to top in the order of Link Layer, network layer, Transport Layer and application layer.

Ethernet Protocol is a link layer Protocol, the address used is the MAC address. The MAC address is the Ethernet card in the Ethernet hardware logo, the card produced when it is stored in the card's EEPROM. Network card MAC address is different, the MAC address can only SIGN a piece of card. In Ethernet the transmission of each packet comprises transmitting the packet to the network card MAC address.

Ethernet based on the Ethernet packet header source MAC address and destination MAC to identify the packets of the transmitting end and the receiving end. The IP Protocol applied to the network layer, the address used for the IP address. Using the IP Protocol, each IP packet header must contain the source IP and destination IP address, to mark the IP packets of the transmitting end and the receiving end. In the Ethernet using IP Protocol to transmit packets, the IP packets as Ethernet packets of data. The IP address for the Ethernet switch or processor is transparent. The user can according to the actual needs of the network for the network card to configure one or more IP addresses. MAC address and IP address does not exist between one to one relationship.

The MAC address stored in the NIC's EEPROM and is uniquely determined, but the network card driver in the transmitted Ethernet packets, not from the EEPROM to read the MAC address, but the address in memory to a buffer, the Ethernet packet is read from the source MAC address. Moreover, the user canthe operating systemto modify the actual transmission of the Ethernet packets in the source MAC address. Since the MAC address can be modified, then the MAC address and IP address binding is also lost its original meaning.

2.2 crack program

The following figure is a crack test structure of Fig. The internal server and the external server providing the Web service, the firewall implemented in the MAC address and IP address binding. Packets in the source MAC address with the 1P address of the if you are unable to with the firewall settings of the MAC address with the 1P address of the match, will not be able to pass through the firewall. The host 2 and the internal server is the internal network of the legitimate machine; host 1 is to do the experiment and the newly added machine. Install theoperating systemis W2000 Enterprise Edition, the network card is a 3Com. Test need to modify the host 1 network card MAC and IP address of the stolen device's MAC and IP address. First, in Control Panel select“Network and dial-up connections”, select the corresponding card and click the right mouse button, select Properties, in the Properties page of the“General”page, click“Configuration”button. In the Configuration Properties page, select“Advanced”, then in“properties”column select“Network Address”in the“Value”column is selected in the input box, and then in the input box, input stolen device's MAC address, the MAC address is successfully modified.

Then the IP address configured to the stolen device's IP address. Theft the internal Client IP address: the host 1 The MAC address and the IP addresses are modified to host 2's MAC address and IP address. The host 1 can access the external server, to be able to smoothly pass through the firewall, the access with the host 2. Moreover, at the same time the host computer 2 can also be normal to access an external server, completely unaffected by the host computer 1 affect. Whether it is a host 2 or the firewall are unaware of the host 1 exists. Host 1 If the access to the internal server, no need to pass through the firewall, more is unimpeded.

Theft the internal server IP address: the host 1 MAC address, and USB address for the internal server's MAC address and IP address. The host 1 can also provide Web Services. In order to make the effect more obvious, the host 1 on the provide Web service content with the internal server to provide different content.

Because in the actual experiment, host 1 and host 2 is connected in the same HUB, the host computer 2 of the access request is always the first to be the host 1 In response, the host 2 is desired to access the internal server, get the but always the host 1 provides the content. More generally, the host 2 If the attempt to access the internal server, get the hell is the host computer 1 of the content provided or the internal server providing the content with the randomness, it depends on the access request first is who responds, in the following analysis we will further elaborate.

Theft of the server's MAC and IP hazards may be greater, if the host 1 provides the Web content and the internal server in the same content, then the host 2 will not be able to identify it to access the end is which machine; if the Web content request input account, password and other information, then the information for the host computer 1, It is sweeping.

3 crack the reasons for the success of

The above experiments verify binding MAC address and IP address does exist a lot of defects, can not effectively prevent the internal IP address of the theft. Next, the theory of the defect for detailed analysis.

Defects the premise that the network card promiscuous receiving mode, the so-called promiscuous receive mode means that the NIC can receive a network transmission of all packets regardless of their destination MAC address is the card MAC address. It is because the NIC supports promiscuous mode, the NIC drivers support MAC address modification possible; otherwise, even if I modify the MAC address, but the network card cannot receive the corresponding address of the packet, the network card becomes can only send, not receive, the communication cannot be normally performed.

The MAC address can be theft the direct cause is the NIC driver sends the Ethernet packets to achieve the mechanism. Ethernet packet source MAC address is the driver is responsible for filling out, but the driver is not from the card EEPROM to read the MAC, but in memory to establish a MAC address of the cache area. The card initialization time the EEPROM content is read into the cache area. If the buffer content is modified for the user to set the MAC address, and later sent out of the Ethernet packet source address is modified to the MAC address. If only to modify the MAC address, the address of the theft is not necessarily to be able to succeed. Ethernet is a broadcast-based, Ethernet network card can listen to LAN transmission of all packets, but the network card receives only those destination address with its own MAC address matches the Ethernet packets. If there are two stations with the same MAC address of the host issuing the access request, and the two access request response packets for both hosts are matching, then the two hosts will not only receive to the content they need, but also the received object to another with the MAC host.

It stands to reason that the two hosts because the received redundant packets, should not work, the theft will soon be perceived that theft will not be able to continue; however, in the experiments address the misappropriation after each experimental devices can interfere with each other's work. This in turn is what reason? The answer should be attributed to the upper layer Protocol used.

Currently, the network is the most commonly used Protocol is the TCP/IP Protocol, network applications are generally run on TCP or UDP. For example, experiments inWeb serverusing the HTTP Protocol is based on TCP. In TCP or UDP, the sign of communication between the two sides is not only the IP address, including port number. In a typical application, the user side port number is not pre-set, but Protocol according to certain rules generated with randomness. Like the above using IE to accessthe Web serverthat's it. UDP or TCP port number is 1 6-bit binary number of two 1 6-bit random number is equal to the probability is very small, just equal, and easier said than done? The two hosts though the MAC address and IP address are the same, but the application port number is different, the received excess data since the TCP/UDP layer could not find the matching port number, be treated as useless data is simply discarded, and the TCP/UDP layer processing for the user layer is transparent; so the user can“correct”the normal use of the corresponding service, and is not affected by the address of the theft of the interference.

Of course, for some applications the user port number may be the user or the application's own settings, and not to agreement to random generation. Then, the result will how? For example, in a two-Station MAC address and IP address are the same on the host, start the two ports of the same application, the two applications are not just not normalWork? In fact, not at all.

If the lower layer uses the UDP Protocol, the two applications will interfere with each other does not work. If you are using the TCP Protocol, the result is different. Because TCP is connection-oriented, in order to achieve the retransmission mechanism, to ensure the correct transmission of data, TCP introduces a packet sequence number and receive window concept. In the above-described port number match packets, only those serial number of the deviation belonging to the reception window within the packet will be received, otherwise, it will be considered expired and the packet is discarded. TCP Protocol packet sequence number a 3 2-bit, each application program sends the first packet sequence number is in strict accordance with the random principle generated after every packet sequence number followed is added by 1.

The window size is 1 6 bits, that is the window The maximum can be 2 1 6, and the serial number of the range is 2 3 2, The host expects to receive the TCP data sequence number of just also is in the other side within the receiving range of the probability is 1/2 1 6, can be described as small and small. TCP sequence number would have been in order to achieve the packets transmitted correctly, and now it became the address of the theft of an accomplice.

4 solve MAC and IP address binding is cracked method

Solve MAC and IP address binding is cracked in many ways, mainly in the following several.

Switch port, MAC address and IP address of the three binding methods; the proxy service and the firewall method of combining; with the PPPoE Protocol for user authentication; a method based on Directory Services policies, a method; a unified authentication and billing software combination method and the like. Here the author especially recommend the last method, this method is the campus network office automation system and network of billing software are combined together and implemented this in the campus Network Information construction today has a strong practice.