地址解析协议,即ARP(Address Resolution Protocol),是根据IP地址获取物理地址的一个TCP/IP协议。主机发送信息时将包含目标IP地址的ARP请求广播到网络上的所有主机,并接收返回消息,以此确定目标的物理地址;收到返回消息后将该IP地址和物理地址存入本机ARP缓存中并保留一定时间,下次请求时直接查询ARP缓存以节约资源。地址解析协议是建立在网络中各个主机互相信任的基础上的,网络上的主机可以自主发送ARP应答消息,其他主机收到应答报文时不会检测该报文的真实性就会将其记入本机ARP缓存;由此攻击者就可以向某一主机发送伪ARP应答报文,使其发送的信息无法到达预期的主机或到达错误的主机,这就构成了一个ARP欺骗。ARP命令可用于查询本机ARP缓存中IP地址和MAC地址的对应关系、添加或删除静态对应关系等。相关协议有RARP、代理ARP。NDP用于在IPv6中代替地址解析协议。
2.arp命令
arp命令用来管理ARP缓存
arp -v 详细模式
$ arp -v
Address HWtype HWaddress Flags Mask Iface
xxxxx ether 00:12:da:46:34:00 C eth0
10.1.1.17 ether 00:16:3e:f2:38:33 C eth1
10.1.1.12 ether 00:16:3e:f2:37:6b C eth1
Entries: 3 Skipped: 0 Found: 3
arp -n 显示数字地址
$ arp -n
Address HWtype HWaddress Flags Mask Iface
xxxxxxxx ether 00:12:da:46:34:00 C eth0
10.1.1.13 ether 00:16:3e:f2:37:7d C eth1
10.1.1.18 ether 00:16:3e:f2:38:35 C eth1
arp -a 查看指定主机的IP和MAC对应关系,默认显示全部
$ arp -a
? (xxxxxxxxx) at 00:12:da:46:34:00 [ether] on eth0
? (10.1.1.13) at 00:16:3e:f2:37:7d [ether] on eth1
? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1
[gintama@gintama-taiwan-lb1 ~]$ arp -a 10.1.1.18
? (10.1.1.18) at 00:16:3e:f2:38:35 [ether] on eth1
arp -d 删除指定主机的IP和MAC对应关系
$ sudo arp -d 10.1.1.18
arp -i 只显示指定网卡的IP和MAC对应关系
$ arp -i eth0
Address HWtype HWaddress Flags Mask Iface
xxxxxxxxxxxxx ether 00:12:da:46:34:00 C eth0
$ arp -i eth1
Address HWtype HWaddress Flags Mask Iface
10.1.1.13 ether 00:16:3e:f2:37:7d C eth1
10.1.1.18 ether 00:16:3e:f2:38:35 C
arp -s hostname hw_addr, --set hostname 手动设置IP和MAC的对应关系
$ sudo arp -s 10.1.1.18 00:16:3e:f2:38:35
3.arping命令
arping [ -AbDfhqUV] [ -c count] [ -w deadline] [ -s source] -I interface destination
想目标主机发送ARP请求
-A 使用ARP REPLAY替代ARP REQUEST报文
$ sudo arping -A -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 627.781ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 988.125ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 827.356ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 837.510ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 303.940ms
-b 只发送MAC层面的ARP广播报文,正常情况下,arping先以发送ARP广播报文方式启动,当收到ARP REPLY报文后就转成单播
$ sudo arping -b -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.764ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.843ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.744ms
-c 指定发送ARP REQUEST报文个数.如果再指定-w参数,arping将一直等待ARP REPLY报文,直到超时时间截止
$ sudo arping -c 5 -I eth1 -s 10.1.1.12 10.1.1.19
ARPING 10.1.1.19 from 10.1.1.12 eth1
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.771ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.744ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.741ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.806ms
Unicast reply from 10.1.1.19 [00:16:3E:F2:38:3B] 0.731ms
Sent 5 probes (1 broadcast(s))
Received 5 response(s)
-w deadline
以秒为单位指定超时时间。
-D 重复地址检查模式
$ sudo arping -D 10.1.1.200
ARPING 10.1.1.200 from 0.0.0.0 eth0
Unicast reply from 10.1.1.200 [00:16:3E:F2:37:6B] 0.692ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
-I 指定发送ARP REQUEST的网卡
-s 指定源地址
如果使用DAD模式,设置成为0.0.0.0
如果使用Unsolicited ARP mode,设置成为目的地址
其他情况下,根据路由表计算
4.阻止ARP flux
ARP协议用于将IP地址转换成为物理地址,默认情况下,拥有多块网卡的Linux主机会响应该主机的任意网卡上接收到的任意网卡上绑定的IP地址的ARP请求。
假设一台Linux主机拥有两块网卡A和B,IP地址和MAC地址分别是
主机A
IP 10.10.41.102
MAC 08:00:27:4B:63:93
主机B
IP 10.10.41.142
MAC 08:00:27:47:78:55
现在使用arping命令分别向两个IP发送ARP REQUEST
$ sudo arping 10.10.41.142
ARPING 10.10.41.142 from 10.10.41.17 eth0
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.721ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.774ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 2.626ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.174ms
Unicast reply from 10.10.41.142 [08:00:27:4B:63:93] 1.164ms
^CSent 5 probes (1 broadcast(s))
Received 5 response(s)
$ sudo arping 10.10.41.102
ARPING 10.10.41.102 from 10.10.41.17 eth0
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.988ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.266ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.478ms
Unicast reply from 10.10.41.102 [08:00:27:4B:63:93] 1.243ms
^CSent 4 probes (1 broadcast(s))
Received 4 response(s)
可以看到10.10.41.142这个IP返回的不是它该有的MAC地址
本文永久更新链接地址: