ARP Spoofing 1 : Understanding the attack

 

In this article we will be understanding the arp spoof attack which is basically a type of man in the middle attack(MITM) and has been there for quite a long time and we will also be doing a demo of a live arp spoof attack with proper tools in the next article. So without wasting time let’s begin…

Man in The Middle Attack:

Most of you would have already guessed the meaning from the name itself.

According to Wikipedia, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other

Let’s take an example.

C:\Users\user\Downloads\mitm-steps.gif

Now you must have got an idea about the attack.

ARP:

ARP stands for Address resolution protocol. It is basically a protocol used by the IP, specifically IPv4 to map IP addresses to MAC address used by a data link protocol.

How it works:

C:\Users\user\Downloads\arp.jpg

Every System has an ARP table where they store information about what IP address is associated with what MAC address. While sending a packet to an IP, the system will first check the ARP table to see if it has MAC address associated with that IP. Let’s say Comp A (192.168.1.4) wants to send IP packet to Comp B (192.168.1.5). But Comp A has no idea about the MAC address of Comp B.

So A will send an ARP request message in the network as in “192.168.1.5 belongs to whom?”. Comp B on receiving this would store the IP address and MAC address of A in its own ARP table and reply that “192.168.1.5 belongs to me” and along with that it will also send the MAC address of itself to A. Thus A on receiving the IP and MAC of B will store it in its own ARP table. Now the IP packet can be transferred successfully as source IP, MAC and Destination IP, MAC is known.

You can also check your arp table using the following command in your CMD: arp –a

ARP Spoofing/Poisoning:

Comp A can send IP packets to Comp B as the ARP Table of A has the IP of B assigned to MAC address of B. So communication would take place.

Now suppose an attacker C will give ARP reply with the IP of B but with the MAC address of itself (i.e. MAC address of C). And as ARP has no authentication mechanism, the A’s ARP table will be updated that the IP address of B maps to MAC address of attacker C.

So A on sending any packet to B, the packet will go to C. Now C can assign a forwarding mechanism that will forward the same packet from C to B thus initiating a Man in the middle attack where C will be in the middle and see all the requests.

Countermeasures:

  • Dynamic ARP Inspection: It is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbours.
  • DHCP Snooping: DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable
  • Static ARP Table: A static Address Resolution Protocol (ARP) entry is a permanent entry in your ARP cache

So that’s for now. I’ll see you next time with the demo on arp spoofing. Goodbye

Loved what you read?

If so, then kindly follow and share our website for much more interesting stuffs ?

For any queries please send a Hi to my Linkedin Handle: Here

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *