Security Explained  
   
 
 

Attacks based on ARP Spoofing

This tutorial will explore the topics of ARP related attacks, specifically Man-in-the-Middle (MITM) attacks.

Attacks?

The information contained in this tutorial can be very harmful to a network. This is NOT something you should try in the wild, that is on a network that you do not own. For our purposes we've set up a test network to experiment with. We feel that the best way to learn about the tools and methodologies hackers use is to use them ourselves. Remember that this information is presented for academic reasons and use of it on a network that you do not own could be grounds for prosecution and incarceration.

Man in the Middle (MITM) ?

The first attack we will look at is the most useful of the first two we will look at. It's called a Man-in-the-Middle attack or MITM for short. As the name implies the attacker places himself in the middle of select or all communications on the LAN. This allows his computer to dissect incoming packets for information such as passwords.

A MITM attack happens when the attacker sends ARP replies to multiple hosts on the LAN feeding them false information, for example if we have a six host LAN:

Normal Network

The ARP tables of each host have every other host on the LAN mapped correctly. If Host A wants to contact Host D it can simply lookup Host D's MAC address and send the information over.
Now observe what happens when the Attacker transmits ARP replies to Host A and Host D. The ARP replies will tell Host A that Host D's MAC address is the same as the Attackers, and vice versa with Host D:

ARP Poisoning between Host A : Host D

Now Host A and Host D still have correct information about the rest of the LAN, but any packets between Host A and Host D will pass through the Attacker before reaching their destination. This leaves us as the Attacker free to dissect and modify packets before passing them on. The Attacker can also poison the whole LAN leaving it looking something like this:

ARP Poisoning between All hosts on the LAN

Now all information passing between any Host on the LAN travels through the Attacker. The Host computers are unaware anything is going on, afterall they believe the Attacker is the correct address for any packets they send or receive.

How do we do it ?

Now that we have a good picture of how the whole process works we'll look at several tools in-depth. Please remember not to try this on networks you don't own.

Next: The Tools