ARP PROTOCOL BASICS
ARP stands for address resolution protocol. It runs upon the link layer (Layer 2) of the OSI model. Its purpose is to resolve an IP address to a MAC address. Any piece of hardware that connects to the Internet has a unique MAC address associated with it.
HOW ARP WORKS
So let’s imagine the scenario shown in the image, where on a switch-based network, “Host A” with an IP 192.168.1.2 would like to communicate with “Host B” with an IP 192.168.1.3. In order to communicate on a local area, Host A would need to have the MAC address of Host B. Host A will look inside its ARP cache and see if the entry for Host B’s IP address is present inside the ARP table. If it’s not present, Host A will send an ARP broadcast packet to every device on the network asking “Who has Host B’s IP address?”
Once Host B receives the ARP request, it will send an ARP reply telling Host A “I am
Host B and here is my MAC address.” The MAC address would be then saved inside the ARP
table. An ARP cache contains a list of the IP and MAC addresses of every host we have communicated with.
Once Host B receives the ARP request, it will send an ARP reply telling Host A “I am
Host B and here is my MAC address.” The MAC address would be then saved inside the ARP
table. An ARP cache contains a list of the IP and MAC addresses of every host we have communicated with.
ARP ATTACKS
There are two types of attack vectors that could be utilized with ARP:
1. MAC flooding
2. ARP poisoning or ARP spoofing
1. MAC flooding
2. ARP poisoning or ARP spoofing
MAC FLOODING
We will discuss MAC flooding first as it is easier. The idea behind a MAC flooding attack is to send a huge amount of ARP replies to a switch, thereby overloading the cam table of the switch. Once the switch overloads, it goes into hub mode, meaning that it will forward the traffic to every single computer on the network. All the attacker needs to do now is run a sniffer to capture all the traffic. This attack does not work on every switch; lots of newer switches have built-in protection against an attack.
MACOF
Macof is part of dsniff series of tools, which I will demonstrate once we get to ARP spoofing. Macof fills the cam table in less than a minute or so, since it sends a huge number of MAC entries—155,000 per minute, to be specific.
Usage
The usage is extremely simple. All we need to do is execute “macof” command from our terminal.
Take a look at the following screenshot:
Usage
The usage is extremely simple. All we need to do is execute “macof” command from our terminal.
Take a look at the following screenshot:
Once the cam table has been flooded, we can open Wireshark and start capturing the traffic.
By default, Wireshark is set to capture the traffic in the promiscuous mode; however, you don’t need to sniff in the promiscuous mode when a switch goes into a hub mode since the traffic is already promiscuous.
By default, Wireshark is set to capture the traffic in the promiscuous mode; however, you don’t need to sniff in the promiscuous mode when a switch goes into a hub mode since the traffic is already promiscuous.
ARP POISONING
ARP poisoning is a very popular attack and can be used to get in the middle of a communication. This could be achieved by sending fake “ARP replies”. As discussed earlier, the ARP protocol would always trust that the reply is coming from the right device. Due to this flaw in its design, it can in no way verify that the ARP reply was sent from the correct device.
The way it works is that the attacker would send a spoofed ARP reply to any computer on a
network to make it believe that a certain IP is associated with a certain MAC address, thereby poisoning its ARP cache that keeps track of IP to MAC addresses.
The way it works is that the attacker would send a spoofed ARP reply to any computer on a
network to make it believe that a certain IP is associated with a certain MAC address, thereby poisoning its ARP cache that keeps track of IP to MAC addresses.
SCENARIO—HOW IT WORKS
Let’s take a look at the scenario presented in this image. The hacker sniffs all the traffic using the ARP spoofing attack. We have a switch with the IP 192.168.1.2. We have two hosts, namely, “bob” with the IP 10.0.0.1 and “alice” with the IP 10.0.0.7 . The “hacker” computer is also located on the network with the IP 10.0.0.3
In order to launch an ARP spoofing attack, the attacker will send two spoofed ARP replies.
The first reply will be sent to “alice” telling “bob” that “alice” is at the MAC address of the
“hacker,” that is, “bb.bb.bb.bb”, so all the communication going from “bob” to “alice” will be forwarded to the hacker. Now, the hacker will send a spoofed ARP reply to “alice” as well telling that “bob” is located at the hacker’s MAC address, since he wants to sniff the traffic going from “alice” to “bob” as well. So through ARP spoofing, the hacker is now in the middle, sniffing traffic between the two hosts.
The first reply will be sent to “alice” telling “bob” that “alice” is at the MAC address of the
“hacker,” that is, “bb.bb.bb.bb”, so all the communication going from “bob” to “alice” will be forwarded to the hacker. Now, the hacker will send a spoofed ARP reply to “alice” as well telling that “bob” is located at the hacker’s MAC address, since he wants to sniff the traffic going from “alice” to “bob” as well. So through ARP spoofing, the hacker is now in the middle, sniffing traffic between the two hosts.
No comments:
Post a Comment