Arp poisoning attack tutorial, Study Guides, Projects, Research of Wireless Sensor Networks

Arp - Arp - Arp - Arp

Typology: Study Guides, Projects, Research

2014/2015

Uploaded on 09/21/2015

satish06
satish06 🇮🇳

4.5

(2)

3 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Definition - What does Address Resolution Protocol Poisoning (ARP
Poisoning) mean?
Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes
the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's
ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address
into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target
computer unintentionally sends the frames to the hacker's computer first instead of sending it to the
original destination. As a result, both the user's data and privacy are compromised. An effective ARP
poisoning attempt is undetectable to the user.
ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).
ARP poisoning is very effective against both wireless and wired local networks. By triggering an ARP
poisoning attack, hackers can steal sensitive data from the targeted computers, eavesdrop by means of
man-in-the-middle techniques, and cause a denial of service on the targeted computer. In addition, if the
hacker modifies the MAC address of a computer that enables Internet connection to the network, access
to Internet and external networks may be disabled.
For smaller networks, using static ARP tables and static IP addresses is an effective solution against ARP
poisoning. Another effective method for all kinds of networks is implementing an ARP monitoring tool
How Does ARP Poisoning Work?
ARP poisoning is a method used for manipulating the flow of traffic between arbitrary hosts on a
local area network. Exploiting a network with an ARP poisoning attack allows an attacker to
reroute traffic passing between workstations and servers on the LAN through a malicious node,
where the traffic can be monitored, modified, or DoSed by the attacker.At the highest level, ARP
poisoning works by modifying the ARP tables – small databases linking MAC hardware
addresses to IP addresses – in target machines by exploiting fundamental weaknesses in the
way network drivers handle ARP traffic.Because local area networks are the smallest unit of
network infrastructure, the rules for passing data between computers vary from the commonly
known TCP/IP and DNS structure used on the Internet. On the LAN, packets are exchanged
using physical MAC addresses as a base network identifier rather then IP addresses.
MAC addresses of all hosts in the subnet are mapped to IP addresses by the ARP
protocol, which relies on a decentralized infrastructure in which each network node
maintains its own table of MAC and IP addresses. No central server maintains an
authoritative list, a role played by DNS servers in the domain name system.
Because each node maintains its own mapping table of MAC and IP addresses,
network drivers must be very proactive in requesting and extracting routing information
from the network in order to maintain an accurate ARP table.
Large volumes of ARP request packets are sent across the wire via broadcast, each
pf3
pf4

Partial preview of the text

Download Arp poisoning attack tutorial and more Study Guides, Projects, Research Wireless Sensor Networks in PDF only on Docsity!

Definition - What does Address Resolution Protocol Poisoning (ARP

Poisoning) mean?

Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker's known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. As a result, both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user.

ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).

ARP poisoning is very effective against both wireless and wired local networks. By triggering an ARP poisoning attack, hackers can steal sensitive data from the targeted computers, eavesdrop by means of man-in-the-middle techniques, and cause a denial of service on the targeted computer. In addition, if the hacker modifies the MAC address of a computer that enables Internet connection to the network, access to Internet and external networks may be disabled.

For smaller networks, using static ARP tables and static IP addresses is an effective solution against ARP poisoning. Another effective method for all kinds of networks is implementing an ARP monitoring tool

How Does ARP Poisoning Work?

ARP poisoning is a method used for manipulating the flow of traffic between arbitrary hosts on a

local area network. Exploiting a network with an ARP poisoning attack allows an attacker to

reroute traffic passing between workstations and servers on the LAN through a malicious node,

where the traffic can be monitored, modified, or DoSed by the attacker.At the highest level, ARP

poisoning works by modifying the ARP tables – small databases linking MAC hardware

addresses to IP addresses – in target machines by exploiting fundamental weaknesses in the

way network drivers handle ARP traffic.Because local area networks are the smallest unit of

network infrastructure, the rules for passing data between computers vary from the commonly

known TCP/IP and DNS structure used on the Internet. On the LAN, packets are exchanged

using physical MAC addresses as a base network identifier rather then IP addresses.

MAC addresses of all hosts in the subnet are mapped to IP addresses by the ARP protocol, which relies on a decentralized infrastructure in which each network node

maintains its own table of MAC and IP addresses. No central server maintains an authoritative list, a role played by DNS servers in the domain name system.

Because each node maintains its own mapping table of MAC and IP addresses, network drivers must be very proactive in requesting and extracting routing information

from the network in order to maintain an accurate ARP table. Large volumes of ARP request packets are sent across the wire via broadcast, each

requesting that the owner of a particular IP address inform the requester of its existance and MAC hardware address.

When a node sees a MAC request targeted at it’s IP address, it responds with an ARP

reply packet containing its current MAC. The requesting machine will then cache the IP address, and the MAC sent in the reply packet, in its ARP table.



Now, we can discuss an inherent weakness in the ARP protocol that allow a malicious

attacker to modify the ARP table in any node on the LAN.

Most mainstream operating systems, as revealed by our research, extract and use information received from unsolicited ARP replies.

Unsolicited ARP replies are ARP reply packets received by a machine that the machine never asked for – AKA, an ARP request was never sent to the node the ARP reply is

coming from.

This allows a hacker to forge an ARP reply in which the IP address and MAC address

fields can be set to any values. The victim receiving this forged packet will accept the reply, and load the MAC/IP pair contained in the packet into the victim’s ARP table.

If a legitimate MAC address entry exists in the ARP table for that IP address, it will be overwritten by the MAC address from the attacker’s forged ARP reply.

After the attacker’s MAC address is injected into a poisoned ARP table, any traffic sent

to that IP address will actually be routed to the attacker’s hardware instead of the real owner of the IP.

ARP Table before and after being poisoned.

By modifying the MAC address associated with an IP address in the target computer’s

ARP table, an attacker can trick them into sending data that should be routed to the targeted IP address to the MAC address of the hacker’s machine.

The attacker can then read, and even modify, the data before seamlessly forwarding it on to the intended destination. Using this method, a transparent Man In The Middle (MITM) attack can be carried out,

with no apparent symptoms to the victim.

Address Resolution Protocol (ARP) Attacks

What Does ARP Mean? Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated 48 bit MAC address via attached Ethernet devices, a communication between local nodes can be made.

attack. This attack however is specific. As opposed to MAC Address Flooding or other attacks against a router/switch, the MITM attack is against a victim, and also can be done outside of a switched environment. Thus meaning, an attack can be executed against a person on the other side of the count

# Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub, and allow the entire network to be sniffed. This gives you a chance to use any sort of sniffing software available to you to use against the network, and gather packets.

# Denial of Service : MAC Address Flooding can be considered a Denial of service attack. The main idea of the MAC flood, is to generate enough packet data to send toward a switch, attempting to make it panic. This will cause the switch to drop into broadcast mode and broadcast all packet data. This however did not result in a crash, or the service to be dropped, but to be overloaded.