ARP - Poisonning



TL;DR : ARP Spoofing (or so called ARP Poisoning) is the intent of an attacker to corrupt a resolver's ARP cache to impersonate the legitimate IP address of an given ressource.

ARP Table

An ARP table including fields for IP Address, MAC Address, Type (Static/Dynamic), Interface, and Age looks like this:

Copy code
| IP Address   | MAC Address           | Type    | Interface | Age    |
|--------------|------------------------|---------|-----------|--------|
| 192.168.1.1  | CC:CC:CC:CC:CC:CC      | Dynamic | eth0      | 10 min |
| 192.168.1.2  | AA:AA:AA:AA:AA:AA      | Static  | eth0      | -      |
| 192.168.1.3  | BB:BB:BB:BB:BB:BB      | Dynamic | eth0      | 5 min  |
| 192.168.1.4  | DD:DD:DD:DD:DD:DD      | Dynamic | eth0      | 2 min  |

Explanation of fields:

  • IP Address: The IP address of the device.
  • MAC Address: The MAC address associated with the IP address.
  • Type: Indicates whether the entry is static (manually set and does not expire) or dynamic (automatically learned and can expire).
  • Interface: The network interface through which the device can be reached (e.g., eth0).
  • Age: The time since the ARP entry was last updated (only relevant for dynamic entries). Static entries typically have a dash - indicating they do not age.

The Scenario: Impersonnation

Let's suppose a home network router has the IP address 192.168.1.1 and a MAC address of 00-00-00-00-00-01. To connect to the internet, any laptop on the network needs to send data to this router.

Step 1: Hacker Initiates ARP Spoofing

  • Hacker (Eve) uses an ARP spoofing tool like Ettercap to inject numerous fake ARP responses into the network. These fake responses claim that the IP address 192.168.1.1 (router) is associated with Eve's MAC address 00-00-00-00-00-2A.

Step 2: Laptop Updates ARP Cache

  • Your laptop sends an ARP request: "Who has 192.168.1.1?". Due to Eve's spoofing, the laptop receives Eve's fake ARP response: "192.168.1.1 is at 00-00-00-00-00-2A" before the legitimate response from the actual router. The laptop updates its ARP cache to associate 192.168.1.1 with 00-00-00-00-00-2A (Eve's MAC address).

Step 3: Traffic Redirection

  • Your laptop attempts to send data to the router (192.168.1.1). The data packets are redirected to Eve's device instead of the router because of the corrupted ARP cache.

Step 4: Interception and Manipulation

  • Read and log the data.
  • Modify the data before forwarding it to the actual router.
  • Eve then forwards the packets to the real router, ensuring you stay connected to the internet without noticing the interception.
    eg. Eve's device receives the packets intended for the router and can do multiple things:
    • Eve can access all unencrypted data sent between your laptop and the internet. This includes web browsing data, emails, and any other unencrypted communications.
    • Session Hijacking: For example, if you use a plain-text connection to a company service that you use regularly, your browser might send a session cookie with authentication information. Eve can capture these session cookies and use them to hijack your session, gaining unauthorized access to the service.
    • Fake DNS Entries: Eve can provide fake DNS entries, causing your laptop to establish connections to malicious sites even when you enter valid URLs.

A contextual simplified example:

Laptop ARP Table Before Attack:

Copy code
| IP Address   | MAC Address           | Type    | Interface | Age    |
|--------------|------------------------|---------|-----------|--------|
| 192.168.1.1  | 00-00-00-00-00-01      | Dynamic | eth0      | 5 min  |

Eve Injects Fake ARP Responses:

Copy code
| IP Address   | MAC Address           | Type    | Interface | Age    |
|--------------|------------------------|---------|-----------|--------|
| 192.168.1.1  | 00-00-00-00-00-2A      | Dynamic | eth0      | 1 min  |

Laptop ARP Table After Attack:

Copy code
| IP Address   | MAC Address           | Type    | Interface | Age    |
|--------------|------------------------|---------|-----------|--------|
| 192.168.1.1  | 00-00-00-00-00-2A      | Dynamic | eth0      | 1 min  |

Ie. packet flows as follow:

  • Original Packet: Laptop sends a packet to 192.168.1.1.
  • Intercepted by Eve: Packet is intercepted by Eve (MAC: 00-00-00-00-00-2A).
  • Eve Forwards to Router: Eve forwards the packet to the actual router (MAC: 00-00-00-00-00-01).

Practical

First off, use XArp, ArpON, or Arpwatch to scan ARP tables across a given network. eg.

arpwatch -d

any mismatches or inconsistencies may indicate a poisoned entry (eg.unexpected MAC addresses, excessive number of ARP requests, too short ARP cachetimeouts).

 wireshark -i eth0 -Y arp

then .
Over the years, numerous tools have been created for research and to assess network security. Here are some tools that can facilitate ARP Spoofing attacks:

Arpspoof

Part of the Dsniff package, Arpspoof sends forged ARP messages on a LAN to redirect traffic or execute man-in-the-middle attacks. It's included in the Kali Linux distribution and can be installed via the dsniff package.

Ettercap

Ettercap is a free, open-source network security tool initially developed for network sniffing. It has since evolved to support various man-in-the-middle (MitM) attacks, including ARP spoofing. Ettercap offers features like packet filtering, password collection for multiple protocols, SSL/SSH support, and third-party plugin compatibility, enhancing its functionality.

Bettercap

Written in Go, Bettercap is a comprehensive network hacking tool. It offers an extensible feature set for different targets, including WiFi networks, BLE devices, wireless HID devices, and support for IPv4 and IPv6 networks.

Wireshark

Although not necessarily used for performing the ARP spoofing. It is an essential tool for analyzing the network and sniffing the packets through the communication channel. See our Wireshark Cheat Sheet here.

Wireshark is A free and open-source network protocol analyzer that can be used to capture and analyze network traffic, including ARP packets.

It is available for Windows, macOS, and Linux and can be downloaded from the following link.


Done!

ARP spoofing is a critical threat that allows attackers to gain access to network resources and sensitive information without the knowledge or consent of the target. It can also aid in launching other attacks, such as denial of service (DoS) and social engineering attacks.

As such, it is paramount for network and security engineers to be aware of the risks posed by ARP spoofing and to implement measures to counter and mitigate such attacks. This may involve implementing network security measures, such as firewalls and intrusion detection systems, and utilizing secure protocols, such as HTTPS.