Risk Analysis for ARP
Three capital vulnerabilities abide in the ARP protocol:
• No authentication. Host B does not assurance the ARP reply, and there is no integrity
provided to the ARP reply.
• Advice leak. All hosts in the aforementioned Ethernet VLAN apprentice the mapping
MAC> of host A. Moreover, they ascertain that host A wants to allocution to host B.
• Availability issue. All hosts in the aforementioned Ethernet LAN accept the ARP appeal (sent
in a advertisement frame) and accept to action it. A adverse antagonist could accelerate thousands
of ARP appeal frames per second, and all hosts on the LAN accept to action these
frames. This wastes arrangement bandwidth and CPU time.
ARP Bluffing Attack
An ARP bluffing advance is additionally accepted as ARP poisoning. It relies on the absence of
authentication in the ARP messages. Chargeless ARP additionally makes the advance simpler to build.
The ambition of an ARP bluffing advance is to be able to ascertain all IP packets beatific to one host, even
in a switched network. This is hasty at aboriginal because switches are advised to send
Ethernet frames alone to the actual about-face anchorage afterwards they apprentice the destination MAC
address.
Table 6-2 Host A ARP Table
IP Abode MAC Address
10.0.0.1 0000.CAFE.0000
10.0.0.2 0000.BABE.0000
ARP Bluffing Advance 109
Elements of an ARP Bluffing Attack
An advance consists of sending affected unsolicited ARP replies to host A, as Figure 6-4 shows.
The attacker, host C, sends this chargeless ARP after any MAC bluffing to host A. The
content contains a new but incorrect mapping of host B’s IP abode to the MAC abode of
host C (the attacker).
Figure 6-4 ARP Spoofing: The Attack
Upon cancellation of the apish chargeless ARP reply, host A updates its ARP table with the new
not correct, but host A has no way to ascertain it.
As anon as host A updates its ARP table, all its IP packets destined to host B are actually
sent to the attacker’s MAC abode (host C).
Figure 6-5 shows packet breeze amid IP host A and host B. IP packets from host A to host
B are absolutely aboriginal beatific to host C (because host A believes that host B’s MAC abode is the
MAC abode of host C), which sniffs the packet. Typically, host C needs to resend the IP
packet to the final host, host B, or abroad the advice breach and users apprehension that
something is wrong.
ARP bluffing works alone in one way: The antagonist (host C) intercepts alone the packet flow
from IP host A to host B. If the antagonist wants to ascertain the acknowledgment traffic, he charge send
Table 6-3 Host A ARP Table
IP Abode MAC Address
10.0.0.1 0000.CAFE.0000
10.0.0.2 0000.0666.0000
Host C
IP: 10.0.0.3
MAC
0000.0666.0000
Host B
IP: 10.0.0.2
MAC
0000.C5C0.0000
Host A
IP: 10.0.0.1
MAC
0000.CAFE.0000
MAC: 0666 -> CAFE
10.0.0.2 is at 0666
110 Chapter 6: Exploiting IPv4 ARP
gratuitous ARP packets to IP host B to change its ARP table so that it contains faked
mapping of host A’s IP abode to host C’s MAC address.
Figure 6-5 ARP Spoofing: The Effect
Notice that the about-face does absolutely what it is congenital for: forwarding MAC frames to their
destination based alone on the abstruse content-addressable anamnesis (CAM) table, as Table
6-4 shows. This advance is not adjoin a switch, however, it is adjoin the ARP.
If the victim, host B, is absolutely a router, antagonist C receives all the IP packets abrogation the
local subnet because all nodes will accelerate those datagrams to the attacker, who spoofed the
router MAC address. But, the antagonist won’t accept any IP packet destined to any host on
the bounded subnet with a distinct ARP bluffing attack. To accept the aback traffic, the attacker
runs assorted ARP bluffing attacks (by sending spoofed ARP packets to the router,
pretending to be all absorbed nodes) to get the cartage to the bounded hosts.
Finally, this advance is alone able aural the attacker’s VLAN. More precisely, it only
applies back the antagonist is in the aforementioned IP subnet of both victims because ARP is alone used
between two hosts back they are in the aforementioned subnet.
Table 6-4 About-face CAM Table
MAC Abode Port
0000.0666.0000 To C
0000.CAFE.0000 To A
0000.C5C0.0000 To B
Host C
IP: 10.0.0.3
MAC
0000.0666.0000
Host B
IP: 10.0.0.2
MAC
0000.C5C0.0000
Host A
IP: 10.0.0.1
MAC
0000.CAFE.0000
MAC: 0666 -> C5C0
IP: 10.0.0.1 -> 10.0.0.2
Telnet: password=xyz
MAC: CAFE -> 0666
IP: 10.0.0.1 -> 10.0.0.2
Telnet: password=xyz
ARP Bluffing Advance 111
Mounting an ARP Bluffing Attack
Multiple hacking accoutrement abide to arise an ARP bluffing attack, including the following:
• dsniff.2 The aboriginal apparatus fabricated available, arpspoof, was allotment of the dsniff package. It has
no GUI and is accessible on best Linux and Windows platforms.
• ettercap.3 A all-encompassing adenoids that has an ARP bluffing module. It has a GUI and is
available on Linux and Windows platforms.
• cain.4 A adenoids advised by and for hackers. (It contains a account to ascertain passwords
in IP packet flows.) It runs alone in Microsoft Windows.
Some of these hacking accoutrement are complemented with agreement decoders to acquisition the username
and countersign fields in several protocols, such as point of attendance (POP) and HTTP.
NOTE Alone use advance accoutrement in a lab environment. They ability potentially breach a network’s
stability or, alike worse, they ability breach bounded laws or a business’ cipher of conducts.
Nevertheless, it is important to use them in a lab to absolutely accept how a abeyant attacker
might use them and accept how Cisco switches can abate the accident of an attack.
This archetype uses the dsniff amalgamation on Linux and a victim host active Windows. The
dsniff amalgamation contains assorted tools, including one for ARP spoofing.
Example 6-1 displays the Windows host ARP table afore the attack.
Example 6-2 shows how the advance apparatus is run. The basal two curve arise every 30
seconds back an unsolicited ARP acknowledgment is beatific to the Ethernet broadcast.
Example 6-1 Original ARP Table
C:\\>arp -a
Interface: 10.0.0.26 on Interface 2
Internet Abode Physical Abode Type
10.0.0.1 00-04-4e-f2-d8-01 dynamic
Example 6-2 ARP Spoofing
[root@hacker-lnx dsniff-2.3]# ./arpspoof 10.0.0.1
0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp acknowledgment 10.0.0.1 is-at
0:10:83:34:29:72
0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp acknowledgment 10.0.0.1 is-at
0:10:83:34:29:72
112 Chapter 6: Exploiting IPv4 ARP
Example 6-3 proves that Windows has adapted its ARP table, which now contains the
incorrect advice for host 10.0.0.1.
Corrupted ARP Table
C:\\>arp -a
Interface: 10.0.0.26 on Interface 2
Internet Abode Physical Abode Type
10.0.0.1 00-10-83-34-29-72 dynamic