


Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Arp - Arp - Arp - Arp
Typology: Study Guides, Projects, Research
1 / 4
This page cannot be seen from the preview
Don't miss anything!



Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user.
ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).
ARP poisoning is very effective against both wireless and wired local networks. By triggering an ARP poisoning attack, hackers can steal sensitive data from the targeted computers, eavesdrop by means of man-in-the-middle techniques, and cause a denial of service on the targeted computer. In addition, if the hacker modifies the MAC address of a computer that enables Internet connection to the network, access to Internet and external networks may be disabled.
For smaller networks, using static ARP tables and static IP addresses is an effective solution against ARP poisoning. Another effective method for all kinds of networks is implementing an ARP monitoring tool
MAC addresses of all hosts in the subnet are mapped to IP addresses by the ARP protocol, which relies on a decentralized infrastructure in which each network node
maintains its own table of MAC and IP addresses. No central server maintains an authoritative list, a role played by DNS servers in the domain name system.
Because each node maintains its own mapping table of MAC and IP addresses, network drivers must be very proactive in requesting and extracting routing information
from the network in order to maintain an accurate ARP table. Large volumes of ARP request packets are sent across the wire via broadcast, each
requesting that the owner of a particular IP address inform the requester of its existance and MAC hardware address.
When a node sees a MAC request targeted at it’s IP address, it responds with an ARP
reply packet containing its current MAC. The requesting machine will then cache the IP address, and the MAC sent in the reply packet, in its ARP table.
Now, we can discuss an inherent weakness in the ARP protocol that allow a malicious
attacker to modify the ARP table in any node on the LAN.
Most mainstream operating systems, as revealed by our research, extract and use information received from unsolicited ARP replies.
Unsolicited ARP replies are ARP reply packets received by a machine that the machine never asked for – AKA, an ARP request was never sent to the node the ARP reply is
coming from.
This allows a hacker to forge an ARP reply in which the IP address and MAC address
fields can be set to any values. The victim receiving this forged packet will accept the reply, and load the MAC/IP pair contained in the packet into the victim’s ARP table.
If a legitimate MAC address entry exists in the ARP table for that IP address, it will be overwritten by the MAC address from the attacker’s forged ARP reply.
After the attacker’s MAC address is injected into a poisoned ARP table, any traffic sent
to that IP address will actually be routed to the attacker’s hardware instead of the real owner of the IP.
ARP Table before and after being poisoned.
By modifying the MAC address associated with an IP address in the target computer’s
ARP table, an attacker can trick them into sending data that should be routed to the targeted IP address to the MAC address of the hacker’s machine.
The attacker can then read, and even modify, the data before seamlessly forwarding it on to the intended destination. Using this method, a transparent Man In The Middle (MITM) attack can be carried out,
with no apparent symptoms to the victim.
Address Resolution Protocol (ARP) Attacks
What Does ARP Mean? Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated 48 bit MAC address via attached Ethernet devices, a communication between local nodes can be made.
attack. This attack however is specific. As opposed to MAC Address Flooding or other attacks against a router/switch, the MITM attack is against a victim, and also can be done outside of a switched environment. Thus meaning, an attack can be executed against a person on the other side of the count
# Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub, and allow the entire network to be sniffed. This gives you a chance to use any sort of sniffing software available to you to use against the network, and gather packets.
# Denial of Service : MAC Address Flooding can be considered a Denial of service attack. The main idea of the MAC flood, is to generate enough packet data to send toward a switch, attempting to make it panic. This will cause the switch to drop into broadcast mode and broadcast all packet data. This however did not result in a crash, or the service to be dropped, but to be overloaded.