ARP Poisoning is a technique by which an attacker sends (spoofed)
Address Resolution Protocol (ARP) messages onto a local area network.
It is also known as ARP spoofing, ARP cache poisoning, and ARP poison routing.
The aim of the attack is to associate the attacker's MAC address with the IP
address of another host. Once the attacker’s MAC address is linked to an
authentic IP address, the attacker can receive any messages directed to the
legitimate MAC address. As a result, the attacker can intercept, modify, or
block communication to the legitimate MAC address. It only works against
networks that use ARP.
Often the attack is used as an opening for other attacks, such as a denial of
service, a man in the middle, or session hijacking attacks.
What is Address Resolution Protocol (ARP)?
The term address resolution refers to the process of finding a MAC address
that belongs to an assigned IP address for a computer in a network. The
assigned IP address to a given MAC Address is stored in a table known as the
ARP cache.
When a packet is received by the gateway to send it to the host, the gateway
uses ARP to associate the MAC or physical host address with its correlating
IP address.
Network hosts or gateways will automatically cache any ARP replies they
receive. Does not matter if network hosts requested them.
ARP entries that have not yet expired will be overwritten if a new ARP
reply packet is received. There is no method in the ARP protocol by which
a host can authenticate the peer from which the packet originated. This
behaviour is the vulnerability that allows ARP spoofing to occur.
How ARP Spoofing/Poisoning Works?
In practice making the ARP Protocol efficient led to a lack of security in
its design. As discussed above, ARP protocol does not authenticate the
peer from which the packet originated it is easier for the hacker to do
this attack as far as (s)he is in the same network.
During ARP spoofing attacks, an attacker sends forged ARP reply packets
to a gateway and to the host over the local network. This
can generally be done by spoofing tool which comes preinstalled in Kali
Linux, arpsoof which makes their job easy.
In simpler words, suppose the below table is the configuration of a
network.
NAME |
MAC Address |
IP Address |
---|---|---|
Gateway (Router) |
E2:01 |
192.168.0.1 |
Host | E2:11 | 192.168.0.11 |
Attacker | E2:21 |
192.168.0.21 |
So, the attacker will send forge ARP reply packets to the
router to associate the E2:21 mac address with the IP of the
host which is 192.168.0.11. Similarly, the attacker will send
forge ARP reply packets
to the Host to associate the E2:21 mac address with the IP
of the Gateway (Router) which is 192.168.0.1.
So, when a packet arrives at the gateway to send it to the host. The
Gateway will check the ARP cache table to resolve the MAC address
with the IP Address. Now, the Host IP address
(192.168.0.11) according to the router is associated with the MAC
address (E2:21) so the packet will be sent to E2:21 which is
the attacker.
Similarly, when the host sends a packet/request it goes via Gateway, and
when the host checks its ARP cache table to resolve the MAC address with
IP Address. Now, the Gateway IP address (192.168.0.1) according to
the host is associated with the MAC address (E2:21) so the packet
will be sent to E2:21 which is the attacker.
In this way, the attacker achieved the goal to be the
Man-in-the-middle (MitM) using ARP Spoofing/Poisoning and
now can intercept/modify/read the data following between the host and the
gateway.
How to detect ARP attacks?
There are many ways to detect ARP Attacks, but the three common and
effective ways to detect ARP Poisoning Attacks are:
- ARP Tables
- XArp Tool
- Wireshark
- ARP Detector v1.0 (tool specially made by us)
How to do an ARP attack?
- Using arpspoof
- Using a simpler tool made by Hack Hunt Arp Spoofer v1.0
How to protect from MITM attacks?
- Detection is not the same as prevention. Above mentioned methods will help you detect the ARP Attacks if any, but it would be better if we can prevent them.
- These methods only work against ARP Spoofing or Poisoning but what about other Man-in-the-Middle Attacks.
We hope this helps. If any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment