The current attack on TKIP does only work on ARP packets. For that reason we dedicate this Section to explain ARP in greater detail. This section will first give a general description of what ARP is and what it is used for, then an explanation of the ARP packet structure is given. Finally some attacks and exploitable properties of ARP are discussed.
2.10.1 Protocol Overview
The Address Resolution Protocol (ARP) is an important part of computer networks, and is defined in RFC826 [25]. ARP is the protocol that is used to obtain the Link Layer address of a host when only the Network Layer address of that host is known. The most common use of ARP is to acquire the corresponding MAC address of a given IPv4 address.
Another use of ARP is the so-called Gratuitous ARP, or ARP Announce- ment. These messages are used to update the ARP caches of other machines on the network, and do not require a reply. A Gratuitous ARP contains a valid Link Layer- and Network Layer address of the host sending it. It is also possible to use ARP another way, to obtain the client’s Network Layer address given the Link Layer address. This is called Reverse ARP (RARP). However, RARP has been made obsolete by the introduction of the Dynamic Host Configuration Protocol (DHCP), and is very rarely used today. ARP is not used in IPv6 networks, as these networks use the Neighbor Discovery Protocol (NDP) [24].
When sending an IP packet on a network, the sending host will build an IP packet with the IP address set in theDestination address field. But when the packet is sent to the Ethernet layer, there is no knowledge of which
MAC address that IP address corresponds to. The host will then send an ARP request to obtain the MAC address of the destination IP [30].
AP Station B IP: 192.168.1.123 MAC: B2:65:11:B1:F1:89 Station A IP: 192.168.1.112 MAC: C1:BE:AA:34:23:12
Figure 2.22: A wireless network with two stations
As an example, say we have a wireless network with two stations (i.e. clients), A and B, as can be seen in Figure 2.22. Client A with IP address
192.168.1.112, wants to send an IP packet to client B but does not know the MAC address of that client. Client A will then send an ARP Request to the broadcast MAC address (FF:FF:FF:FF:FF:FF), requesting the MAC address of B. Simply put, the ARP Request will contain this message: Who has 192.168.1.123? Tell 192.168.1.112. The AP will then relay this message to all the clients of the local network. When B receives the message it will reply to Client A with an ARP Reply containing its own MAC address. Client A now has the needed information to send an IP packet to Client B. Client A will cache this address, so that there is no need to send an ARP request for every packet. It is also possible for Client B to cache the request, which contains the IP and MAC address of Client A.
2.10.2 ARP Packet Structure
The packet structure of an ARP packet can be seen in Table 2.2. This is a very small packet, only 28 bytes long without the Link Layer header. The first two fields specify which Link Layer and Network Layer protocol that is used, respectively. For Ethernet the HTYPE field is set to 0x0001, and for IP the PTYPE is set to 0x0800.
The next two fields, HLEN and PLEN, indicate the length of the Link Layer and Network Layer addresses used. For Ethernet this is 6 bytes and for IP 4 bytes. The next field, OPER, specifies the type of ARP operation the message contains: 1 for Request, 2 for Reply, 3 for RARP request and 4 for RARP reply.
The next fields contain the Sender Hardware- and Protocol Address, SHA and SPA. Which, for a typical network, are the Ethernet MAC address
Address Resolution Protocol (ARP) 53
+ Bits 0 - 7 8 - 15 16 - 31
0 Hw type (HTYPE) Protocol type (PTYPE)
32 Hw length (HLEN) Protocol length (PLEN) Operation (OPER) 64 Sender hw addr (SHA) (first 32 bits)
96 Sender hw addr (SHA) (last 16 bits) Sender protocol addr (SPA) (first 16 bits) 128 Sender protocol addr (SPA) (last 16 bits) Target hw addr (THA) (first 16 bits) 160 Target hw addr (THA) (last 32 bits)
192 Target protocol addr (TPA)
Table 2.2: ARP Packet Structure
and the IP address of the sender. The Target Hardware Address (THA) field contains the target’s MAC address. This is left empty in an ARP request. The last field, TPA, will contain the IP address being requested [25].
2.10.3 Attacks on ARP
The most common attack against ARP is so called ARP Spoofing or ARP Poisoning (as illustrated in Figure 2.23). An ARP poisoning attack is exe- cuted by sending fake ARP packets to a host on the network. This is possible because there is no inherent protection against such attacks implemented in ARP. A fake ARP reply or Gratuitous ARP will cause the victim to update the ARP cache with the faked MAC address. By doing this, an attacker can associate his own MAC address with another IP address, and in that way listen to the traffic intended for that IP. The attacker can simply retransmit the received data to the correct destination or actually modifying the data to perform a Man-in-the-Middle attack. It is also possible to mount a DoS attack by associating the IP address to a non-existing MAC address. The most effective IP address to target for these attacks is the default gateway [34].
The use of ARP in networks is also exploited in other ways. One prop- erty of ARP is that ARP requests are sent to the broadcast address of the network. This means that every client on that network will receive it. It also means that most likely a given ARP request will produce an ARP re- ply. This property has been exploited to generate large amounts of traffic on encrypted wireless networks. Because of ARP packet’s characteristic length, they are easily recognized, and can therefore be captured and re- played to generate traffic. This traffic could then be captured and used in cryptographic attacks against WEP as described in Section 2.5.
AP BSSID: 00:18:39:c6:4f:94 IP: 192.168.1.1 Alice MAC: 00:1c:b3:b5:71:43 IP: 192.168.1.101 Bob MAC: 00:23:12:02:e1:f9 IP: 192.168.1.100 Mallory Spoofed MAC: 00:18:39:c6:4f:94 IP: N/A 1. ARP: 192.168.1.1 is at 00:1c:b3:b5:71:43 2. Ping 192.168.1.1
Figure 2.23: ARP poisoning attack - The attacker injects a fake ARP reply to corrupt the STA’s ARP cache
Another property of encrypted ARP packets is that very little plaintext is actually unknown to the attacker. As the Ethernet header is sent in the clear, the only unknown data in an ARP request is the SPA and TPA (Sender- and Target Protocol Address) fields. And these fields are quite easily guessed as most networks use a small set of local IP addresses. Additional encryption information, such as integrity checks could also be encrypted and is therefore unknown to an attacker as well. Examples of this are the WEP ICV and the TKIP MIC. This property, together with the characteristic length, is used to perform the attack on TKIP. The details of this attack are described in Chapter 3.