Residential broadband, using web authentication, has two computers with an account bound with a mac address and an ip address. Because the account is bound to the mac address, in order to allow a computer to surf the Internet when it is turned off, the mac address and IP address of both machines are set to the same. Strangely, two computers are turned on at the same time, connected to the same switch, and will not report IP conflicts, but they can also surf the Internet at the same time. After careful consideration, I think that windows system uses the same IP to determine IP conflicts based on network cards with different mac addresses. Windows cannot identify the IP conflict because the mac addresses of the two machines are the same. As for surfing the internet at the same time without conflict, it is also possible to recall network protocols. Communication between programs also needs to use ports, and two network cards receive the same information. One of them just listened correctly, and the other was discarded because of the different port numbers. But if two machine programs use the same port, will there be a problem? Value for money, finally found an article written by an expert, completely solved the confusion.
Breaking the binding strategy of MAC address and IP address
The solution of "IP address theft" introduced in 1 mostly adopts the strategy of binding MAC and IP address, which is very dangerous. This paper will discuss this issue. What needs to be declared here is that this paper is worried about the security of MAC and IP address binding strategy, and it does not have any hacking nature. 1. 1 Why should I bind MAC and IP addresses?
There are many factors that affect network security, and IP address stealing or address cheating is one of the common and extremely harmful factors. In reality, many network applications are based on IP, such as traffic statistics and account control. , all use IP address as an important parameter to identify users. If someone steals a legitimate address and impersonates a legitimate user, the data transmitted on the network may be destroyed, eavesdropped or even stolen, causing irreparable losses.
It is difficult to steal the IP address of the external network, because network interconnection devices such as routers generally set the IP address range that each port passes through, and messages that do not belong to this IP address range will not pass through these interconnection devices. However, if the IP address of the legitimate user inside the Ethernet is stolen, this network interconnection device is obviously powerless. "As the saying goes, the magic height is one foot and the road height is one foot", the IP address inside the Ethernet was stolen, and of course there are corresponding solutions. Binding MAC address and IP address is a common, simple and effective measure to prevent internal IP theft.
Binding principle of 1.2 MAC and IP address
It is very easy to modify the IP address. The MAC address is stored in the EEPROM of the network card, and the MAC address of the network card is unique. Therefore, in order to prevent insiders from illegally stealing IP (for example, stealing the IP address of someone with higher authority to obtain information beyond the authority), the IP address of the intranet can be bound with the MAC address, and even if the IP address is modified, the theft fails due to the mismatch of the MAC addresses; Moreover, due to the uniqueness of the MAC address of the network card, the network card using the MAC address can be found out according to the MAC address, and then the illegal thief can be found out.
At present, many companies' intranets, especially campus networks, adopt the binding technology of MAC address and IP address. Many firewalls (hardware firewall and software firewall) have built-in binding function of MAC address and IP address in order to prevent the IP address inside the network from being stolen.
On the surface, binding MAC address and IP address can prevent the internal IP address from being stolen, but in fact, due to the implementation technology such as various layers of protocols and network card drivers, there are great defects in binding MAC address and IP address, which can not really prevent the internal IP address from being stolen.
2 to crack the binding strategy of MAC and IP address
2. Introduction of1IP address and MAC address
The current TCP/IP network is a four-layer protocol structure, which consists of link layer, network layer, transport layer and application layer from bottom to top.
Ethernet protocol is a link layer protocol, and the address used is MAC address. MAC address is the hardware symbol of Ethernet network card in Ethernet, and the network card is stored in EEPROM of the network card when it is produced. The MAC addresses of network cards are different, and the MAC addresses can uniquely identify a network card. Each message transmitted over Ethernet contains the MAC address of the network card that sent the message.
Ethernet identifies the sender and receiver of the message according to the source MAC address and destination MAC in the Ethernet header. The IP protocol is applied to the network layer, and the address used is the IP address. When using IP protocol to communicate, each IP message header must contain source IP and destination IP address to mark the sender and receiver of IP message. When messages are transmitted over Ethernet using IP protocol, IP messages are used as data of Ethernet messages. The IP address is transparent to the Ethernet switch or processor. Users can configure one or more IP addresses for network cards according to actual network requirements. There is no one-to-one correspondence between MAC addresses and IP addresses.
The MAC address is stored in the EEPROM of the network card and is uniquely determined. However, when the network card driver sends an Ethernet message, it does not read the MAC address from the EEPROM, but establishes a buffer in the memory from which the Ethernet message reads the source MAC address. Moreover, the user can modify the source MAC address in the actually sent Ethernet message through the operating system. Since the MAC address can be modified, the binding between the MAC address and the IP address has lost its original meaning.
2.2 cracking scheme
The following figure is the structural schematic diagram of the cracking test. Its internal server and external server provide Web services, and realize the binding of MAC address and IP address in the firewall. If the source MAC address and 1P address pair in the message do not match the MAC address and 1P address pair set in the firewall, it will not pass through the firewall. Host 2 and the internal server are legal machines in the internal network; Host 1 is a newly added machine for doing experiments. The installed operating system is W2000 Enterprise Edition, and the network card is 3Com.
The experiment needs to change the MAC and IP address of the network card in the host 1 to the MAC and IP address of the stolen device. First, select "Network and Dial-up Connections" in the control panel, select the corresponding network card, right-click it, select Properties, and click "Configure" on the General page of the property page. Select "Advanced" in the configuration property page, then select "Network Address" in the property column, select the input box in the value column, and then enter the MAC address of the stolen device in the input box, and the MAC address will be modified successfully.
Then configure the IP address as the IP address of the stolen device. Stealing the IP address of the internal client: modify the MAC address and IP address of the host 1 to the MAC address and IP address of the host 2 respectively. The host 1 can access external servers and pass through the firewall smoothly, with the same access rights as the host 2. At the same time, the host 2 can also access the external server normally, which is completely unaffected by the host 1. Neither the host 2 nor the firewall knows that the host 1 exists. If the host 1 accesses the internal server, it does not need to go through the firewall at all, and it is unimpeded.
Stealing the IP address of the internal server: change the MAC address and U address of the host 1 to the MAC address and IP address of the internal server. The host 1 also provides Web services. In order to make the effect more obvious, the content of the Web service provided on the host 1 is different from that provided by the internal server.
Because in the actual experiment, the host 1 is connected to the same HUB as the host 2, and the access request of the host 2 is always responded by the host 1 first. The host 2 expects to access the internal server, but it always gets the content provided by the host 1. More generally, if the host 2 tries to access the internal server, the content provided by the host 1 or the content provided by the internal server is random, depending on who responds to its access request first, which will be further elaborated in the following analysis.
Stealing the MAC and IP of the server may be more harmful. If the Web content provided by the host 1 is the same as that in the internal server, then the host 2 will not be able to identify which machine it is accessing. If you need to enter information such as account number and password in the webpage content, then these information are clear to the host 1.
Three reasons for successful cracking
The above experiments verify that the binding of MAC address and IP address has great defects and cannot effectively prevent the internal IP address from being stolen. Next, the defect will be analyzed in detail in theory.
The premise of the defect is the mixed receiving mode of the network card. The so-called mixed receiving mode means that the network card can receive all messages transmitted on the network, regardless of whether its destination MAC address is the MAC address of the network card. It is precisely because the network card supports promiscuous mode that it is possible for the network card driver to support the modification of MAC address. Otherwise, even if the MAC address is modified, the network card can't receive the message of the corresponding address at all, and the network card can only send but can't receive it, so the communication can't proceed normally.
The direct reason why MAC address can be stolen is the implementation mechanism of network card driver sending Ethernet messages. The driver is responsible for filling in the source MAC address in the Ethernet message, but the driver does not read the MAC from the EEPROM of the network card, but establishes a MAC address buffer in the memory. When the network card is initialized, the contents of EEPROM are read into the buffer. If the contents in the buffer are modified to the MAC address set by the user, the source address of the Ethernet message sent in the future is the modified MAC address.
If you just modify the MAC address, address stealing may not succeed. Ethernet is based on broadcasting. The Ethernet network card can listen to all messages transmitted in the LAN, but the network card only receives those Ethernet messages whose destination address matches its own MAC address. If two hosts with the same MAC address send out access requests respectively, and the response messages of the two access requests are matched for the two hosts, the two hosts will not only receive the content they need, but also receive the content intended for another MAC host.
It stands to reason that after receiving the redundant message, both hosts should not work normally, and the embezzlement will be immediately detected and will not continue; However, after the address was stolen in the experiment, all the experimental equipment can work normally without interference. What is the reason? The answer should come down to the protocol used by the upper layer.
At present, the most commonly used protocol in the network is TCP/IP protocol, and network applications generally run on TCP or UDP. For example, the HTTP protocol adopted by the Web server in the experiment is based on TCP. In TCP or UDP, it is not only the IP address but also the port number that marks the communication party. In general application, the port number of the client is not preset, but generated by the protocol according to certain rules, which is random. As mentioned above, using IE to access the Web server is like this. The port number of UDP or TCP is 16-bit binary number, and the probability that two random numbers with 16 bits are equal is very small. How easy is it to talk about equality? Although the MAC address and IP address of the two hosts are the same, the application port numbers are different. Because no matching port number can be found in the TCP/UDP layer, the received redundant data is simply discarded as useless data, and the processing in the TCP/UDP layer is transparent to the user layer. Therefore, users can use the corresponding services correctly and normally without being disturbed by address theft.
Of course, the user port number of some applications may be set by the user or the application itself, rather than being randomly generated by the protocol. So, what will be the result? For example, if you start two applications with the same port on two hosts with the same MAC address and IP address, will these two applications work normally? Not exactly.
If the lower layer uses UDP protocol, the two applications will interfere with each other and cannot work normally. If the TCP protocol is used, the result will be different. Because TCP is connection-oriented, in order to realize the retransmission mechanism and ensure the correct transmission of data, TCP introduces the concepts of message sequence number and receiving window. Among the above messages with matching port numbers, only those messages whose sequence number deviation falls within the receiving window will be received, otherwise, they will be regarded as expired messages and discarded. In TCP protocol, the sequence number of messages is 32 bits. The sequence number of the first message sent by each application is generated strictly according to the principle of randomness, and then 1 is added to the sequence number of each message in turn.
The size of the window is 16 bits, which means that the maximum window can be 2 16, and the range of serial number is 232. The probability that the serial number of TCP data that the host expects to receive is also within the receiving range of the other party is 1/2 16, which is very small. The serial number of TCP was originally intended to realize the correct transmission of messages, but now it has become an accomplice to address theft.
4 Solve the problem that the binding between MAC and IP address is cracked.
There are many ways to solve the problem that the binding between MAC and IP address is cracked, mainly as follows.
The method of binding switch port, MAC address and IP address; The method of combining proxy service with firewall; User authentication method based on PPPoE protocol: method based on directory service policy; The method of combining unified identity authentication with billing software, etc. (The principle and process of these methods can be referred to my humble book "Solution to IP Address Theft in Campus Network"). Here, the author especially recommends the last method, which is realized by combining the office automation system of campus network with the network billing software, and is very practical in today's campus network information construction.