ARP Poisoning
The Term ARP stands for (Address Resolution Protocol). It is a protocol used by Internet protocol to map IP Address to the hardware device used by a data link protocol. The protocol operates below the network layer of OSI Model as a part of the interface between the Network layer and Link layer. It is only used when IPv4 is used over Ethernet. The information received by the server allows to uniquely identify the network of a system for which the address was required. The address resolution procedure is completed when a client receives a response from the server on their request along with the required address.
What is ARP Poisoning?
ARP Poisoning is also known as ARP spoofing. It helps other cyber-attacks like Man-In-The-Middle, Session hijacking, DDos attack. It sends fake MAC address to the switch in order that it can associate the fake MAC address along with the genuine IP address on a network and hijack the traffic.
Procedure of ARP Spoofing/Poisoning:
1. The attackers use the particular tools to match the IP subnet of a target with the IP Address. Such as Ettercap, Cain & Abel, Arpoison and ARPspoof.
2. Then the attacker scans the target’s subset for the IP and MAC addresses of hosts.
3. Now the attacker needs to choose its particular target and begins sending ARP packets across the LAN that contains the attacker’s MAC address and target’s IP address.
4. Now the attacker is in the middle of the victim and router every single packet of data travels through the attacker whether it is a system request or server response.
In simple, the attacker needs to flood the ARP table with spoofed ARP responses then the attacker can sniff all network packets.
How to Detect ARP Poisoning?
1) Start an operating system as an administrator and run a terminal. Now Use the following command to display the ARP table, it is the same for both windows, Linux operating systems.
“ arp –a ”
2) Output ->
IP Address — — — — — — — — — — — —->Physical Address
192.168.5.1 — — — — — — — — — — — — >00–14–22–01–23–45
192.168.5.201 — — — — — — — — — — — >40-d4–49-cr-55-b8
192.168.5.202 — — — — — — — — — — — >00–14–22–01–23–45
If the output contains the same Physical/MAC Address with two different IP addresses, this indicates that an ARP poisoning is taking place. Because the IP address 192.168.5.1 can be recognized as the router, the attacker’s IP is probably 192.168.5.202 and it’s impossible to have the same MAC address of 2 different devices.
How ARP Poisoning helps cyber-attacks?
1. MITM (Man in the middle): The attacker will send an ARP reply with its own MAC address and therefore the IP address of a legitimate server or router. When the victim receives the ARP reply it’ll update its ARP table. When it tries to succeed in the legitimate device.
2. DOS (Denial of Service): The attacker will send many ARP replies with the MAC address of a legitimate server. All devices within the network will update their ARP tables and each and every IP packets within the network are going to be sent to the server, overloading it with traffic.
3. Session hijacking: Session hijacking attacks can use ARP spoofing to steal session IDs, grant attacker’s access to personal data and systems.