Understanding Arp Poisoning

Understanding Arp Poisoning

Introduction:

Sniffing in a non-switched network where hub is used is a very easy process as you can capture every packet flowing on the network. You just need to run the sniffer and you are done. But when it comes to switched network things are little different as switch are intelligent enough to route the packets to destination Mac only. So if we start sniffer on our machine then we can only sniff the data, which is intended to send to our machine only. So to capture the data over a switched network we use a technique called Arp poisioning. Before we discuss the tidbits of Arp posioning, let us have a look over how communication takes place over a network or say LAN.



Say there are two host on a network host a and host b. now a application on host a want to send any data or any packet to host b then it must need to know where it is. As application works on the IP basis so it only tells the NIC (network interface card) of host a that "I want to send a packet to this ip". Now to know where this ip address belong on network host a needs to be aware of the Mac address of host b as the data communication takes of on the Mac address basis. Because lower layer of OSI model doesn't know about the upper levels. So host a will broadcast a query something like "what is the Mac corresponding to host b ip?"
As it a broadcast so every machine on the network will get it and when it reaches to host b, it will send a arp reply packet like "Mac address corresponding to my ip is this". It will be a unicast packet to host a .as host a only sent this packet.

Now on reciving an Arp reply host a knows to which Mac address it should send the packet. It also maintains an Arp table, which contains all the Mac address corresponding to an ip address. So that it does not need to send the arp request every time it want to send packet to host b. so next time is host a want to send packet to host b then it will simply look in to that table and send find out the Mac address of host b. in that way it reduces the network traffic and time. Other wise there would be too much network traffic over network as for sending each packet host a need to send a arp request and host b need to send a reply.

Note: there are two types of Arp tables on is static Arp and another is dynamic Arp. Dynamic Arp entries refresh every 3 min (on windows sytem, configurable on *nix os), while static Arp doesn't got refresh until you manually edit them or shutdown/restart the system.

So this is how communication takes place over a LAN.

How Arp Poisoning works?

Now there is an attack vector associated with concept. When a arp reply packet comes to host a, it blindly assumes that it is the replay from host b. there is no validation on host a that if it has sent any arp request packet or not? When it get an Arp reply it simply add/update the entry in its Arp table.
Now suppose there is another host ,host c on the network,Now what host c will do if he want to capture the data flowing between host a and host b?
Simple it will create two spoofed/faked Arp request packet and send them to host a and host b as following:

It will send an Arp packet with its own Mac address and ip address of host b to host a. 
And it will send an Arp packet with its own Mac and host a ip address to host b.

So now network is something like this:



So now suppose host a want to send any packet to host b then it will look in to its arp table so it will get Mac of c instead of Mac of b, when it look for ip of b. so it send the packet to Mac address of c.
In this way the packet reached to host c.

Now it is responsibility of host c to make a copy of this packet and route it to host b otherwise communication get corrupt.

Similarly if host b want to send any packet to host a then it look in to its Arp table and then it will sends the packet to Mac address of c (as discussed above)
Here again it is responsibility of host c to route this packet after making a copy to host a, otherwise communication gets corrupt.

In this way you can capture or sniff the data over a switched network.

An interesting case: 

suppoes you are on a LAN with a gateway and you want to capture the data transmitted over Internet. Then what will you do??
Simple just poisoned every machine you want to capture which the false Mac of gateway. It mean say your machine's Mac address is 00-11-22-33-44-55 and gateway Mac is aa-bb-cc-dd-ee-ff then each host contents gateways Mac. Now if you replace the gateways Mac with your own Mac then all the machines will think that gateway is your machine and then all start sending the data to your own network. So you can make a copy and forward it to gateway. Similarly you need to poison gateway to capture incoming traffic. So what you will do it poison the gateway corresponding to all the machines you are capturing with the Mac address of our own. In this way you can capture entire LAN.

Limitations of Arp poisoning:

1) You cannot capture over a managed switch as it validates the Arp entries.
2) You can only capture over a LAN. You cannot capture outside LAN as gateway or router changes the Mac with its own when it goes out of a network.


Author: Hardik Shah