ARP Poisoning

The ARP (Address Resolution Protocol) is used to find the MAC address of any IP address that you are trying to reach on your local network, it’s a simple protocol and vulnerable to an attack called ARP poisoning (or ARP spoofing).

ARP poisoning is an attack where we send fake ARP reply packets on the network. There are two possible attacks:

  • MITM (Man in the middle): the attacker will send an ARP reply with its own MAC address and the IP address of a legitimate host, server or router. When the victim receives the ARP reply it will update its ARP table. When it tries to reach the legitimate device, the IP packets will end up at the attacker.
  • DOS (Denial of Service): the attacker will send many ARP replies with the MAC address of a legitimate server. All devices in the network will update their ARP tables and all IP packets in the network will be sent to the server, overloading it with traffic.

The ARP (Address Resolution Protocol) is used to find the MAC address of any IP address that you are trying to reach on your local network, it's a simple protocol and vulnerable to an attack called ARP poisoning (or ARP spoofing). ARP poisoning is an attack where we send fake ARP reply packets on th


In this lesson we’ll take a look at a MITM attack performed through ARP poisoning, to demonstrate this we’ll use the following topology:

ARP Poisoning Example Topology

Above we have a switch that connects two computers and a router, which is used for Internet access. The computer on the left side is a Windows computer with a user browsing the Internet, the computer on the top is our attacker.

Traffic Pattern without ARP Poisoning

Let’s take a look at the MAC addresses and ARP tables of the host on the left side (192.168.1.1) and the router:

C:\Users\host1>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : vmware
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-50-56-8E-5E-33
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e8b4:ac21:751f:fa34%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, October 6, 2015 1:46:34 AM
   Lease Expires . . . . . . . . . . : Wednesday, October 7, 2015 2:02:04 AM
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 251678806
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-13-64-E8-00-50-56-8E-5E-33
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Above you can see the MAC address and IP address of the host on the left side, this is a Windows 8 computer. The default gateway is 192.168.1.254 (R1). Here’s the ARP table:

C:\Users\host1>arp -a

Interface: 192.168.1.1 --- 0xc
  Internet Address      Physical Address      Type
  192.168.1.254         00-22-90-35-64-8a     dynamic

The output above is the IP address and MAC address of the router. We can verify the MAC address of the router like this:

R1#show interfaces FastEthernet 0/0 | include bia
  Hardware is Gt96k FE, address is 0022.9035.648a (bia 0022.9035.648a)

And here’s the ARP table of the router with an entry for the host on the left side:

R1#show ip arp | include 192.168.1.1
Internet  192.168.1.1             8   0050.568e.5e33  ARPA   FastEthernet0/0

This is how it should be, our traffic pattern looks like this:

ARP poisoning normal internet flow

Now let’s see what happens when we perform an ARP poisoning attack…

Traffic Pattern with ARP Poisoning

There are a number of tools you can use for ARP poisoning, I decided to use Kali which is a great Linux distribution with plenty of security tools. Kali comes with an application called Ettercap which offers a couple of MITM (Man in the Middle) attacks.

Do yourself a favor and never try ARP poisoning on any production network, you should always use a lab environment to test any security tools. There are methods to detect ARP poisoning which we will cover in the DAI (Dynamic ARP Inspection) lesson.

I will launch Ettercap on the host with IP address 192.168.1.2. Before we launch Ettercap, there’s a couple of configuration changes we have to make. First open the etter.conf file:

# vim /etc/ettercap/etter.conf

Now change the “ec_uid” and “ec_gid” values to 0:

[privs]
ec_uid = 0          
ec_gid = 0

These values allow Ettercap to get root access which is required to open network sockets. Also make sure that you have the following two rules in your etter.conf file:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

The lines above are required so that Kali will forward IP packets. After saving your changes you can start Ettercap:

# ettercap -G

You will be greeted with the following screen:

ettercap main screen

Open the “Sniff” menu and select “Unified sniffing”:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

507 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. This is best explained with the following two captures:

    https://networklessons.com/wp-content/uploads/2015/12/wireshark-capture-arp-request.png

    Above you can see the ARP request. The sender (fa:16:3e:38:94:94) creates the ARP request and is looking for 192.168.12.2. It encapsulates this in an Ethernet frame with its own MAC address as the source and destination broadcast.

    Everyone on the subnet will hear this message, the device that has the destination MAC address will reply:

    //cdn-forum.networklessons.com/uploads/default/original/2X/9/9f60d1190267be572f382a07

    ... Continue reading in our forum

  2. sir , for the scenario
    Computer A ——-Switch1—–ROUTER1——————ROUTER 2 —- Switch2 —– Computer B.

    you said that

    "Computer A will do an ARP request for the IP address of Router 1

    Computer B will do an ARP request for Router 2 (its default gateway).

    Router 1 and Router 2 will do ARP requests on the link that connects them to discover each others MAC addresses."

    please rectify/guide me if i am worng
    computer A will send ARP request to R1 to know R1 MAC address, so whenever it sends send data to ComputerB it will then send it to MAC address of R1.

    sir my second query i

    ... Continue reading in our forum

  3. Hi.

    Router A wants to know MAC address of router B. So, it broadcasts ARP. Only router B replies.
    In this case, target MAC should be FF:FF:FF:FF:FF:FF which is broadcastin ARP request. Why the target MAC is all 0’s in ARP request?

  4. Thanks Lazaros, your explanation has been very useful. Now is more clear for me.

  5. Hi Braulio,

    Every device that has an IP address builds an ARP table. They somehow need to map a L3 IP address to a L2 MAC address.

    A computer (host) will have an ARP table. A switch that you configure with an IP address for remote management also has an ARP table.

    Rene

101 more replies! Ask a question or join the discussion by visiting our Community Forum