Dec 27, 2011

What the hell is "NetCut" doing and how to prevent

NetCut is a program that will help you disconnect other computers in the same subnet of an ethernet network. You can download the program from this link: NetCut.
In this post I will describe the technical detail about NetCut and how to prevent this kind of program/attack.

I. Technical Detail About NetCut:
NetCut use a simple technique called "ARP poisoning" or sometimes called "ARP spoofing". It is a attack technique usually used to trigger an Man In The Middle attack. Before introducing the ARP poisoning, we have to know what is ARP.
ARP is the abbreviation of Address Resolution Protocol. According to wiki, "ARP is a protocol used for resolution network layer address to link layer address." That is, ARP will map the IP address of a machine to it's MAC address.
Consider the following LAN from Fig. 1:

<figure 1> Local Area Network Example

Now If Alice want to send a Packet to Bob, Alice machine will check if the MAC address of IP is exist in the ARP cache table. If it is not exist in the table, it will broadcast a ARP request asking for the MAC address of While Bob's machine receive the broadcast message, it will reply it's MAC address to Alice. Fig. 2 shows the communication process.

<figure 2> ARP communication process

After knowing the ARP, it's time to introduce the "ARP poisoning attack". Consider the following condition. What if Evil reply the ARP request before Bob when Alice broadcast the ARP request. In this scenario, Alice's machine will think that the MAC address of IP is 00:00:00:00:00:03(MAC address of Evil), instead of 00:00:00:00:00:04(MAC address of Bob). Therefore, Alice will send the packet to Evil instead of Bob.Fig. 3 shows the process of this attack.

<figure 3> ARP posioning attack
What if Evil send the ARP reply with a non-exist MAC address of the gateway, then Alice's machine will become a DoS condition. This is how NetCut disconnect other computer in the same subnet.

II. Prevention of ARP poisoning:
The best way to prevent your computer being poisoned is use a static ARP instead of dynamic. In both windows and linux system, there is a command called arp which can let you check the arp cache table and moreover change the dynamic table into static.
You can also installed some application such as arpwatch in unix and Xarp-v2 in winodws to defense this kind of attack.

III. reference website:
ARP and ICMP redirection
arp-spoofing wiki

No comments:

Post a Comment