+3 votes
in Security by (242k points)
ARP spoofing: when danger lurks in the local network

1 Answer

+4 votes
by (1.6m points)
Best answer

ARP tables and address resolution on the LAN
What is ARP spoofing?
The most popular ARP spoofing programs
ARP spoofing and data encryption
Protection measures against ARP spoofing


ARP spoofing: when danger lurks in the local network

With firewalls, proxy servers and demilitarized zones (DMZs), the security equipment of large companies to protect themselves from risks from the Internet is constantly growing, yet attacks do not always come from outside. The Achilles heel of the security chain is often the local network or LAN. If an attacker has managed to infiltrate the internal network, he generally has all the doors open to intercept the data traffic and manipulate it at his convenience. Hackers benefit in this case from the high vulnerability presented by the ARP (Address Resolution Protocol ) protocol , used in Ethernet networks based on IPv4 to resolve IP addresses into MAC addresses, placing administrators, until today, before an important safety issue..

ARP tables, which contain addresses and their equivalents, can be easily manipulated by forged data packets. In this case, one can speak of ARP spoofing or poisoning of ARP tables, a man-in-the-middle attack that allows hackers to interfere between two systems without being seen. Here we show you how you can manipulate the address resolution and present some protection measures against these attacks.

  1. ARP tables and address resolution on the LAN
  2. What is ARP spoofing?
  3. The most popular ARP spoofing programs
  4. ARP spoofing and data encryption
  5. Protection measures against ARP spoofing
ARP Spoofing Definition

ARP Spoofing refers to man-in-the-middle attacks that target the ARP tables of local networks. In this type of attack, cybercriminals send fake ARP packets in order to infiltrate the communication between two systems to spy on or manipulate their data traffic..

ARP tables and address resolution on the LAN

Unlike the Internet, devices connected to a local network do not communicate directly with their IP address. Instead, for address resolution in IPv4 networks, physical hardware addresses are used, the so-called MAC (Media Access Control) addresses , consisting of a unique 48-bit code that identifies the network card of each device on the network. local unequivocally.

Example of a MAC address: 00-80-41-ae-fd-7e

MAC addresses are granted by hardware manufacturers and are unique globally. In theory these physical addresses should be able to resolve addresses locally, but in practice this is not feasible as IPv4 addresses are too short to fully reproduce MAC addresses. This is the reason why, in networks based on this protocol, address resolution using ARP is essential ..

In order to communicate with computer B, computer A needs to find out the MAC address associated with its IP address. This is where the address resolution protocol or ARP comes in, a network protocol that works according to the request-response model .

In the search for the corresponding MAC address, the computer A broadcasts a request ( ARP Request ) in all network devices containing the following information:

A computer with the MAC address xx-xx-xx-xx-xx-xx and the IP address yyy.yyy.yyy.yyy wants to contact a computer with the IP address zzz.zzz.zzz.zzz and needs its MAC address.

To avoid having to send an ARP request every time a data packet is sent, all computers on the network have a table ( ARP cache ), where all known MAC addresses including their associated IPs are temporarily stored. These computers, after receiving the request, write down the pair of addresses (IP and MAC) delivered together with the request, but the response with the MAC address can only be given by one of them, computer B. Your response could be something like:

Here the system with the IP address zzz.zzz.zzz.zzz. The requested MAC address is aa-aa-aa-aa-aa-aa.

When computer A receives this reply ( ARP Reply ), it already has all the information it needs to send data packets to computer B. At this point there is nothing to prevent communication on the local network. Now, what if the one responding is not the expected computer, but a device controlled by an external person with dubious objectives? This is where ARP spoofing comes into play.

Exemplary representation of an Ethernet frame. A tampered frame can contain, for example, an incorrect source MAC address.

What is ARP spoofing?

This request and response pattern of the address resolution protocol is programmed in such a way that the first response to a request is the one that is accepted and stored. When they carry out an ARP spoofing action, the hacker's intention is to get ahead of the target computer itself, send a response packet with false information and, in this way, manipulate the ARP table of the computer that made the request. which makes this attack also called ARP poisoning or ARP tables poisoning. Typically, the reply data packet contains the MAC address of a device on the network controlled by the attacker. The system? Cheated? In this way, it associates the exit IP with a false physical address and in the future, without knowing it, sends all the data packets to the system controlled by the hacker, which from now on has the possibility to spy on, record or manipulate the traffic data completely.

To remain in incognito mode, data traffic is generally redirected to the actual destination system. The attacker thus stands in an intermediate position ( man in the middle ). If you don't forward them, ARP spoofing could result in a Denial of Service (DoS).

ARP table poisoning is not only possible in local networks, but also in wireless or WLAN networks, in which even encryption using a WPA (Wi-Fi Protected Access) key does not offer any protection. And it is that, to be able to communicate in local networks with IPv4, all the connected devices need to resolve the MAC addresses, something that only allows resolution with ARP tables.

A well-known software that intercepts broadcast requests and sends false responses is Cain & Abel. But to poison the ARP cache of network devices, the attacker does not necessarily have to wait for requests to arrive. An alternative strategy is to constantly bombard the network with false responses, because, although most systems that have not issued any requests will ignore these responses, as soon as a computer issues a request it is therefore ready to receive a response to your request. Now the question is which of the two answers comes first, the true or the false. This attack pattern can be automated with programs like Ettercap. Here we show you a selection of the best known.


The most popular ARP spoofing programs

On the net there are some programs that are used to carry out ARP spoofing attacks and that are available to the public. Generally treated as security tools, with their help, administrators can assess the health of the network itself and secure it against the most common attack patterns. Popular applications include ARP0c / WCI, Arpoison, Cain & Abel, Dsniff, Ettercap, FaceNiff, and NetCut.

  • ARP0c / WCI : According to its developers, this is a tool that uses ARP table poisoning to intercept connections on a private local network. To do this, the software sends forged response packets that redirect the data traffic to the system where the tool is installed. An integrated bridging engine handles forwarding to the actual target system. The packets not delivered locally are forwarded by the software to the corresponding router, so that the man in the middle attack goes unnoticed. The program is available for both Linux and Windows and is downloaded for free from the manufacturer's website.
  • Arpoison: This tool, used in the framework of network analysis but also as spoofing attack software, generates ARP packets in which the user can freely define the sender and destination addresses. Arpoison is freely available under the GNU license.
  • Cain & Abel - Developed as password recovery software, Cain & Abel offers the ability to intercept networks and crack passwords. Since version 2.5, the software also includes spoofing functions with which IP traffic can be captured on local networks. SSH and HTTPS connections are not a big obstacle for this software either. Since version 4.0, it also supports the AirPcap adapter, which allows passive reading of data traffic in WLAN networks and since version 4.9.1 it is capable of attacking wireless networks protected by WPA.
  • Dsniff: in this case it is a collection of programs that includes various tools for network analysis and penetration tests. Dsniff, Filesnarf, Mailsnarf, Msgsnarf, Urlsnarf and Webspy allow to intervene in networks and intercept files, emails or passwords. Arpspoof, Dnsspoof, and Macof find normally inaccessible data, while the Sshmitm and Webmitm programs are used to carry out man-in-the-middle attacks on connections secured by SSH and SSL / TLS.
  • Ettercap: This simple software, used mainly for man-in-the-middle attacks, supports various Linux distributions, as well as Mac OS X (Snow Leopard & Lion). Installation in Windows is possible although it requires extra settings. Users have, in addition to the console, ncurses frontend and GTK2-GUI as a graphical interface. The tool allows automating actions such as sniffing, ARP attacks and password collection and is capable of manipulating intercepted data and attacking connections protected by SSH or SSL. It is officially offered as security software and is often used in product testing.
  • FaceNiff: this Android application grants the license to passively read and control session cookies in WLAN networks. Attackers use it to hack Facebook, Amazon, or Twitter accounts, even when the wireless network is protected by WEP, WPA-PSK, or WPA2-PSK. The only reliable protection against FaceNiff is provided by the EAP (Extensible Authentication Protocol) and SSL. This software is based on the Firefox Firesheep extension and is used on Android smartphones in combination with the default browser (AOSP).
  • NetCut: With this network management software, webmasters manage their network on the basis of ARP. The tool identifies all connected devices on the network and issues their MAC addresses. A simple click on one of the addresses in the list is enough to disconnect that device from the network. This makes this software used for DoS attacks, as long as the attacker is on the same network as his victim. In contrast, it is not possible to carry out man in the middle attacks with this tool.

ARP spoofing and data encryption

The moment a hacker manages to infiltrate the dialogue between two hosts and the connections are unprotected, they have full freedom of movement, since, in a hacked connection, all communication runs through the attacker's system, which you can thus spy and manipulate the data at your convenience. However, encryption techniques and authentication certificates promise a high degree of protection against data espionage. In the event a hacker to intercept encrypted data, the worst that can happen is a denial of service (Denial of Service) because the data packets are not delivered. Of course, a fundamental condition for data encryption to work reliably is to apply it consistently.

Numerous tools used in man-in-the-middle attacks offer, along with spoofing functions, SSL / TLS, SSH encryption implementations, among other protocols, for both client and server, which makes them capable of even mimicking these certificates and generating connections. encrypted. Cain & Abel simulates, for example, a web server capable of encrypting with SSL, which issues a fake SSL certificate to the attacked system. And although network users receive a security warning in this case, they do not usually take it seriously and ignore it or believe that it is false. Here, it could be considered, by way of paragraph, that the responsible handling of digital certificates is an essential component of network security and serves to train users accordingly.

Protection measures against ARP spoofing

By taking advantage of the operation of the Address Resolution Protocol, ARP table poisoning can affect, in principle, all IPv4 networks. This problem has not been solved either by the introduction of version 6 of the protocol (IPv6) . The new standard forgoes ARP tables, but regulates address resolution on the LAN using the NDP (Neighbor Discovery Protocol) protocol, also prone to spoofing attacks. This vulnerability is only covered by the Secure Neighbor Discovery (SEND) protocol, which is supported by only a few desktop operating systems.

In the face of manipulation of the ARP cache, the static ARP records , which in Windows can be encrypted with the ARP program ( arp? S command ), represent some protection, but when they have to be done manually, this protection measure usually applies only to systems most important of the network.

Another way to protect against ARP table abuse is to subdivide the network using Layer 3 switches , so that uncontrolled broadcast requests affect only systems within a segment. Those that reach other segments are examined by the switch. If it works at the network level (layer 3), in addition to the MAC it also compares the IP address with previous records. If inconsistencies or frequent rearrangements are found, the switch sounds the alarm. However, this hardware is associated with high acquisition costs, so administrators are often faced with the uncomfortable dilemma of deciding whether the increased security is worth the financial expense. The much more affordable traditional Layer 2 switches are not convenient because, even though they are able to record a change in MAC address, they ignore the corresponding IP address.

Many manufacturers offer monitoring programs with which you can monitor networks and detect striking processes. The best known tools are the open source programs Arpwatch, ARP-Guard and XArp. Intrusion detection systems like Snort can also be used to monitor address resolution via ARP.

  • Arpwatch - Integrated into an IPv4 local network, this platform-independent tool records all ARP-like activities on the LAN. The program extracts the addresses of all incoming ARP packets and stores them in a central database. If old records are detected that do not match the current data, a warning email is sent to the administrator. Although this system is effective, it is only suitable for networks with static IP addresses. If the IPs in a LAN are distributed dynamically with a DHCP server, each change in the IP / MAC assignment generates an alarm.
  • ARP-Guard : ARP-Guard, developed by the German company ISL, relies on two different sensors to monitor the internal network. The LAN sensor, similar to Arpwatch, analyzes incoming data packets and triggers the alarm in case of mismatches. The SNMP sensor, for its part, accesses the devices connected in the LAN through the Simple Network Management Protocol (SNMP) and reads their ARP tables. In this way, not only can ARP attacks be located and repelled, but the integrated address management allows foreign devices to be detected and prevent them from accessing the network.
  • XArp - XArp software uses active and passive modules to protect the network from ARP spoofing. Passives analyze ARP packets sent over the network and compare the addresses as they are associated with older records. If inconsistencies are detected, the alarm goes off. The control mechanism relies for this on statistical analysis and checks the network traffic based on various patterns that, in the opinion of the developers, characterize ARP attacks. The sensitivity of these traffic filters can be adjusted at various levels. The active modules, for their part, send packets to the network themselves to validate the ARP tables of the contacted devices and supply them with valid data.

The Snort Intrusion Detection System (IDS) also has a built-in Arpspoof preprocessor that allows you to monitor data traffic on your network and manually build comparison lists, but it is much more labor intensive and is often used when transitioning to external networks. Deciding if it is profitable to apply it within the LAN depends on each individual case. At the corporate level, this measure is often opposed by works councils, because the administrator who oversees the network with IDS has access to the entire traffic on the network and, thus, also to all the activities of the employees of the company.