Skip to main content
Version: 1.0.2

ARP poisoning

ARP​

  • ARP stands for "Address Resolution Protocol"
  • πŸ“ In charge of resolving IP addresses to MAC addresses
  • Can be used for obtaining MAC addresses of devices on the network
  • Packets are ARP_REQUEST and ARP_REPLY
  • Commands
    • arp -a: displays current ARP cache
    • arp -d *: clears ARP cache

ARP table​

  • Used to map MAC addresses to ip addresses
  • Every network interface has its own ARP table
  • πŸ“ If no ARP entry exist:
    1. Computer A broadcasts an APR request in network asking for the MAC address from a specific IP.
    2. Computer B replies its MAC and IP address
    3. Computer A inserts it to its ARP table for future use

ARP poisoning attack​

  • Also known as β€’ ARP spoofing β€’Β ARP spoofing β€’ ARP cache poisoning β€’ ARP poison routing β€’ ARP cache flooding β€’ ARP flooding.
  • Man in the middle attack between the victim and switch.
  • Floods the target machines ARP cache with forged requests and responses.
  • Exploits ARP not verifying the device authenticity
  • If ARP cache becomes full, different behaviors can be observed depending on the manufacturer/implementation:

ARP poisoning attack steps​

  1. Gather information
    1. Get victim IP address, e.g. 192.168.122.183
    2. Get default gateway IP, e.g. 192.168.122.1
      • Usually IP of the machine ending with .1
      • Usually same for everyone on same network
      • Default gateway is the forwarding host (router) to internet when no other specification matches the destination IP address of a packet.
  2. Enable forwarding mode to sniff the traffic
    • echo 1 > /proc/sys/net/ipv4/ip_forward in Linux.
    • ❗Otherwise no traffic is going through and you're just DOSing.
  3. Attack
    • ARP spoofing attack
    • Deceive the victim device through flooding ARP reply packets to it.
      • Change gateways MAC address is to the attackers
    • πŸ“ Use an ARP spoofing tool e.g.
      • arpspoof
        • arpspoof -t <victim-machine-ip> <default-gateway-ip>
        • arpspoof -t <default-gateway-ip> <victim-machine-ip>
      • ettercap
        • Also sniffs passwords automatically
        • ettercap -NaC <default-gateway-ip> <victim-machine-ip>
          • N: make it non-interactive
          • a: arp posion
          • c: parse out passwords and usernames.
      • Cain and Abel (Cain & Abel) on Windows
    • After ARP spoofing attack
  4. Sniff
    • Now you sniff the traffic between two devices.
      • If through HTTPS & SSL you can only see basic data such as User Agent and domain names.
    • Can use e.g. wireshark or dsniff

ARP poisoning attack countermeasures​

  • Configure DHCP snooping
  • Add static IP-MAC entries to the cache.
    • Then it will not process any ARP Replies received unlike a dynamic ARP cache.
  • Use Intrusion Detection Systems (IDS)

ARP poisoning countermeasures​

  • ARP spoofing detection and prevention
    • Relies on some form of certification or cross-checking of ARP responses
    • Can be implemented on individual hosts, hypervisors or switches
    • πŸ“ E.g. DHCP snooping feature on switch OS can activate Dynamic ARP Inspection with an internal database.
    • ❗ Not possible if any host holds a static IP, and static ARP entries must be used.
  • Static ARP entries
    • Manually mapping IP addresses to MAC addresses (maintaining ARP entries)
    • A lot of administrative overhead
    • Provides only basic security
  • OS security
    • Linux ignores unsolicited replies, behavior can often be configured in other OSes