Just a quick news update for those of you who haven't heard, it seems that VMWare's update to ESX 3.5u2 has left all servers running the software inoperable. According to a news article from The Register in the UK, the issues began when clocks rolled over to August 12th this morning. However, to be clear, this issue is not present in any of VMWare's lower end software appliances (Workstation, Server, Player).
While it may not affect the users who use VMWare on their home machine, this does have the potential to scar the trust that larger business ventures have placed in VMWare's software. In the larger networks used today, virtualization is playing a large and almost unimaginable role in consolidating hardware resources. If VMWare intends to be a major player in virtualization, what kind of damage does this bug do to their reputation? How about long term? A company worried about coding incompetence will not likely make the same mistake twice.
On the other hand, the irony is that VMWare is not the only software company who has made coding mistakes. When Microsoft made Service Pack 1's release candidate available for Windows Vista, a good sized number of customers were left with an unbootable machine (TechNet). Yet, despite coding mistakes that Microsoft has made, Microsoft has still managed to keep Windows on the majority of PCs on the market. Why?
The answer: Microsoft lacks a serious threat to its empire. Therefore, accidents are easily overlooked. VMWare on the other hand, is in direct competition with Microsoft's HyperV and other virtualization products. It'll be interesting to see how this bug has hurt VMWare's position in the coming months.
Tuesday, August 12, 2008
Wednesday, August 6, 2008
Greyhat Zone: ARP poisoning
Today I'm introducing a new part of the blog: The Greyhat Zone!
The Greyhat Zone will feature security / hack focused articles and tutorials with the purpose of further educating interested students in the security world. As some of you may have guessed, this means covering both sides of the conflict between black hats and white hats. A white hat is an IT professional with the intent of protecting the networks / devices he is in charge of. On the opposite side is the black hat, people who seek to exploit such networks / devices, either for educational purposes or personal gain. Greyhats are a mix of both sides.
This month on the Greyhat Zone: ARP Poisoning (Part 1)!
What Part 1 covers
1. Purpose of ARP
What is ARP poisoning? For that matter, what is ARP? ARP stands for the Address Resolution Protocol. Your standard IPv4 network uses ARP to find the hardware (MAC) address of another host, using its IP address. Though ARP can be used for different kinds of Network Layer addresses, IPv4 is the most prevalent in use.
Consider this simple scenario: Host A pings Host B.
Host A [IP Address: 172.31.1.1] [MAC Address: 00:00:00:00:00:01]
Host B [IP Address: 172.31.1.2] [MAC Address: 00:00:00:00:00:02]
What happens? Before Host A can even send the ping, Host A must determine the Layer 2 address (MAC address) of Host B. In order to do this, Host A broadcasts an ARP message. Although not verbatim of the message itself, it will essentially ask "Who has 172.31.1.2? Tell 172.16.1.1". It is important to note that this broadcast message is tagged with Host A's MAC address. Since both hosts are on the same local network, Host B will respond with its own broadcast message, "172.31.1.2 is at 00:00:00:00:00:02". Host A then adds the MAC address (temporarily) to its ARP table, mapping it to Host B's IP address. At this point, the actual ping is finally sent. When Host B responds, it will not need to use ARP to acquire the MAC address of Host A, because that information will be included as part of the ICMP (ping) packet sent to it. However, even if no ping was sent after the ARP request, Host B would still most likely contain an entry in its ARP table, thanks to Host A's broadcast. That's a lot of work for one ping!
2. Switched Networks
On a switched network (such as those created by standard Linksys "routers" with multiple ports, or higher end Cisco devices), a switch uses a MAC address table to decide and isolate what port data is to be sent through. If Host A or B's MAC addresses aren't initially in this table, the switch will take any data being sent to their MAC addresses and flood it out all connected ports on the switch. The switch can also learn MAC addresses via traffic coming through a port, making it easier to fill its table. Due to the unique nature of switches, data that is intended for a specific host on the network will not generally be viewable by other hosts (Unless they are the ones who sent the data). If we want to eavesdrop on someone else's connection, and we're behind a switch, we're most likely out of luck. At least, for now.
3. MAC Address Spoofing
Though the MAC address is generally referred to as a physical or hardware address, many may not know that a MAC address is easily faked, or spoofed. In Windows XP, for example, the MAC address is actually stored as a registry entry. In Linux, the MAC address can be changed simply by the use of the ifconfig command. Using a spoofed MAC address in no way alters the device itself, just how it is identified. Generally, a normal reset of a machine will remove any spoofed MAC address information. This is especially true of Windows XP (as the registry entry containing the MAC address is created at boot time, and is refreshed during each start up).
While spoofing a MAC address may initially sound devious, the fact is that in some cases it is entirely necessary for proper network communication. In the past, some cable providers would use the MAC address of the device connected through a cable modem to identify and ensure that only that registered device was using their service. If the user had used a single machine, then switched to a router, the device would then be cut off because the ISP did not recognize the MAC of the router. A similar situation could arise from the replacing of a cable modem with a new one, where the change would require the registration of the new device (A situation experienced by Cable One users). MAC address spoofing is a way around these scenario's.
Preview for Part 2:
Remember when I said we would most likely be unable to eavesdrop on another host's connection if we were behind a switch? Well, guess what ARP poisoning allows us to do! That's right, we can overlook what security the common switch provides to its users through isolation. I'll explain what ARP poisoning is, how it works, and what we can use it for (legit and non-legit). I'll also show how to counter this technique.
The Greyhat Zone will feature security / hack focused articles and tutorials with the purpose of further educating interested students in the security world. As some of you may have guessed, this means covering both sides of the conflict between black hats and white hats. A white hat is an IT professional with the intent of protecting the networks / devices he is in charge of. On the opposite side is the black hat, people who seek to exploit such networks / devices, either for educational purposes or personal gain. Greyhats are a mix of both sides.
This month on the Greyhat Zone: ARP Poisoning (Part 1)!
What Part 1 covers
1. Purpose of ARP
What is ARP poisoning? For that matter, what is ARP? ARP stands for the Address Resolution Protocol. Your standard IPv4 network uses ARP to find the hardware (MAC) address of another host, using its IP address. Though ARP can be used for different kinds of Network Layer addresses, IPv4 is the most prevalent in use.
Consider this simple scenario: Host A pings Host B.
Host A [IP Address: 172.31.1.1] [MAC Address: 00:00:00:00:00:01]
Host B [IP Address: 172.31.1.2] [MAC Address: 00:00:00:00:00:02]
What happens? Before Host A can even send the ping, Host A must determine the Layer 2 address (MAC address) of Host B. In order to do this, Host A broadcasts an ARP message. Although not verbatim of the message itself, it will essentially ask "Who has 172.31.1.2? Tell 172.16.1.1". It is important to note that this broadcast message is tagged with Host A's MAC address. Since both hosts are on the same local network, Host B will respond with its own broadcast message, "172.31.1.2 is at 00:00:00:00:00:02". Host A then adds the MAC address (temporarily) to its ARP table, mapping it to Host B's IP address. At this point, the actual ping is finally sent. When Host B responds, it will not need to use ARP to acquire the MAC address of Host A, because that information will be included as part of the ICMP (ping) packet sent to it. However, even if no ping was sent after the ARP request, Host B would still most likely contain an entry in its ARP table, thanks to Host A's broadcast. That's a lot of work for one ping!
2. Switched Networks
On a switched network (such as those created by standard Linksys "routers" with multiple ports, or higher end Cisco devices), a switch uses a MAC address table to decide and isolate what port data is to be sent through. If Host A or B's MAC addresses aren't initially in this table, the switch will take any data being sent to their MAC addresses and flood it out all connected ports on the switch. The switch can also learn MAC addresses via traffic coming through a port, making it easier to fill its table. Due to the unique nature of switches, data that is intended for a specific host on the network will not generally be viewable by other hosts (Unless they are the ones who sent the data). If we want to eavesdrop on someone else's connection, and we're behind a switch, we're most likely out of luck. At least, for now.
3. MAC Address Spoofing
Though the MAC address is generally referred to as a physical or hardware address, many may not know that a MAC address is easily faked, or spoofed. In Windows XP, for example, the MAC address is actually stored as a registry entry. In Linux, the MAC address can be changed simply by the use of the ifconfig command. Using a spoofed MAC address in no way alters the device itself, just how it is identified. Generally, a normal reset of a machine will remove any spoofed MAC address information. This is especially true of Windows XP (as the registry entry containing the MAC address is created at boot time, and is refreshed during each start up).
While spoofing a MAC address may initially sound devious, the fact is that in some cases it is entirely necessary for proper network communication. In the past, some cable providers would use the MAC address of the device connected through a cable modem to identify and ensure that only that registered device was using their service. If the user had used a single machine, then switched to a router, the device would then be cut off because the ISP did not recognize the MAC of the router. A similar situation could arise from the replacing of a cable modem with a new one, where the change would require the registration of the new device (A situation experienced by Cable One users). MAC address spoofing is a way around these scenario's.
Preview for Part 2:
Remember when I said we would most likely be unable to eavesdrop on another host's connection if we were behind a switch? Well, guess what ARP poisoning allows us to do! That's right, we can overlook what security the common switch provides to its users through isolation. I'll explain what ARP poisoning is, how it works, and what we can use it for (legit and non-legit). I'll also show how to counter this technique.
Subscribe to:
Posts (Atom)
Posts
