ARP Poisoning is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. It is also known as ARP spoofing, ARP cache poisoning, and ARP poison routing.
The aim of the attack is to associate the attacker’s MAC address with the IP address of another host. Once the attacker’s MAC address is linked to an authentic IP address, the attacker can receive any messages directed to the legitimate MAC address. As a result, the attacker can intercept, modify, or block communication to the legitimate MAC address. It only works against networks that use ARP.
Often the attack is used as an opening for other attacks, such as a denial of service, a man in the middle, or session hijacking attacks.
What is Address Resolution Protocol (ARP)?
The term address resolution refers to the process of finding a MAC address that belongs to an assigned IP address for a computer in a network. Assigned IP address to a given MAC Address is stored in a table known as the ARP cache.
When a packet is received by the gateway to send it to the host, the gateway uses ARP to associate the MAC or physical host address with its correlating IP address.
Network hosts or gateways will automatically cache any ARP replies they receive. Does not matter if network hosts requested them.
ARP entries that have not yet expired will be overwritten if a new ARP reply packet is received. There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. This behavior is the vulnerability that allows ARP spoofing to occur.
How ARP Spoofing/Poisoning Works?
In practice to make the ARP Protocol efficient led to a lack of security in its design. As discussed above, ARP protocol does not authenticate the peer from which the packet is originated it is easier for the hacker to do this attack as far as (s)he is in the same network.
During ARP spoofing attacks, an attacker sends a forged ARP reply packets to a gateway and to the host over the local network. This can be generally be done by spoofing tool which comes preinstalled in Kali Linux, arpsoof which make their job easy.
In simpler words, suppose the below table is the configuration of a network.
|NAME||MAC Address||IP Address|
So, the attacker will send forge ARP reply packets to the router to associate the E2:21 mac address with the IP of the host which is 192.168.0.11. Similarly, the attacker will send forge ARP reply packets to the Host to associate the E2:21 mac address with the IP of the Gateway (Router) which is 192.168.0.1.
So, when a packet arrives at the gateway to send it to the host. The Gateway will check the ARP cache table to resolve the MAC address with IP Address. Now, the Host IP address (192.168.0.11) according to the router is associate with the MAC address (E2:21) so the packet will be sent to E2:21 which is the attacker.
Similarly, when the host sends a packet/request it goes via Gateway, and when the host checks its ARP cache table to resolve the MAC address with IP Address. Now, the Gateway IP address (192.168.0.1) according to the host is associate with the MAC address (E2:21) so the packet will be sent to E2:21 which is the attacker.
In this way, the attacker achieved the goal to be the Man-in-the-middle (MitM) using ARP Spoofing/Poisoning and now can intercept/modify/read the data following between the host and the gateway.
How to detect ARP attacks?
There are many ways to detect ARP Attacks, but the three common and effective ways to detect ARP Poisoning Attacks are:
- ARP Tables
- XArp Tool
- ARP Detector v1.0 (tool specially made by us)
How to do an ARP attack?
- Using arpspoof
- Using a simpler tool made by Hack Hunt Arp Spoofer v1.0
How to protect from MITM attacks?
- Detection is not the same as prevention. Above mentioned methods will help you detect the ARP Attacks if any, but it would be better if we can prevent them.
- These methods only work against ARP Spoofing or Poisoning but what about other Man-in-the-Middle Attacks.