arphide.txt (c) 2003 by Benjamin Schweizer http://www.redsheep.de/ arphide, hiding hosts inside trusted networks revision 1, Sep/11/2003 Abstract This document describes a method to hide a host inside a lan using the weakness of most routers/firewalls/gateways. This can be useful to do "strange things on the internet". Introduction As you know, TCP/IP uses the ARP protocol (RFC 826) to abstract the Data Link Layer and determine the MAC addresses to the corresponding IP addressees. This is a pretty protocol for having fun, there are lots of well know techniques as ARP spoofing, cache poisoning, et all. Most of these techniques have the goal to spoof connections and gain access to data streams between two hosts. The arphide technique shows that you can also play around with ARP to hide your host and stay anonymous... you got the point? How gateways work A router/firewall/gateway is accepting packets on one side, doing some filtering and dropping it on another interface. Most gateways are configured to accept LAN IPs on the one side and non LAN IPs on the other. The LAN side NIC accepts any data that is send its MAC address, passing it to the IP stack. Here we are checking the packets and doing the routing and packet filtering. When the packet is fine, it is passed thru to the other interface and everything is ok. The weakness What happens if we initiate a LAN-LAN connection? The normal way is to send the packets direct from source to target. When we however send the packet to the gateway, it is accepted by the NIC and passed up to the IP stack. If there is a firewall rule "from lan to any" and from "any to lan" we are happy. The stack will accept the packet and send it back to the LAN side. This packet is directed to the real target host, but it is sent by the gateway. When the target host has received the packet, it will process it and update it's ARP cache. It binds a wrong IP address to some MAC address. So the reply will be sent back to the gateway and the gateway forwards the packet back to our system - our unique MAC address is hidden from all hosts but the gateway. traffic: +------+ +------+ +------+ | | ---- #1 ---> | | ---- #2 ---> | | | you | | gate | | dest | | | <--- #4 ---- | | <--- #3 ---- | | +------+ +------+ +------+ packets: +------+------+ +------+------+ #1 | src | dest | #2 | src | dest | +-----+------+------+ +-----+------+------+ | eth | you | gate | | eth | gate | dest | +-----+------+------+ +-----+------+------+ | ip | you | dest | | ip | you | dest | +-----+------+------+ +-----+------+------+ +------+------+ +------+------+ #3 | src | dest | #4 | src | dest | +-----+------+------+ +-----+------+------+ | eth | dest | gate | | eth | gate | you | +-----+------+------+ +-----+------+------+ | ip | dest | you | | ip | gate | you | +-----+------+------+ +-----+------+------+ What does that mean? Just imagine that the targeted host is a honepot or something evil. It detects that something is going wrong on the LAN. Hence it has your IP address (that is nothing worth), it (or the admin) will look for the MAC address to identify the origin machine. Because we used the gateway for hiding, it is impossible to gain our MAC address and we can't be tracked. All what is found is the MAC address of the gateway. Of course we have to block all other ARP requests to our local machine that are not sent by the gateway to prevent extra lookups and being detected by reverse trials. Finding the gateway Hence most gateways trust the LAN side in some way and every machine that has IP forwarding enabled is a gateway in this unterstanding, it is easy to find a matching host. You could use the tools like ettercap to do a passive scan for the gateway or arphide packets back to yourself and when that was successful, you have found a valid gateway. Good advices Drop all ARP requests that are not from the gateway and remember that the gateway knows your MAC address anyway (so take the stupidest one). Change you IP address in a moderate rate (if they are hunting you).