Today, I will talk about the ARP cache poisoning.
Table of contents:
- How does ARP protocol works ?
- Technical attack
- Network flow explanation
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given network layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.
ARP has been implemented with many combinations of network and data link layer technologies, such as IPv4, Chaosnet, DECnet and Xerox PARC Universal Packet (PUP) using IEEE 802 standards, FDDI, X.25, Frame Relay and Asynchronous Transfer Mode (ATM). IPv4 over IEEE 802.3 and IEEE 802.11 is the most common usage.
In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).
Here I will illustrate vulnerability in ARP protocol named ARP spoofing.
From the OSI model above, the ARP protocol is between layer 2 and 3 as it links a MAC address to an IP address.
How does ARP protocol works ?
The employee wants to configure the router. There is no entry in its ARP table:
So he has to know if the router he wants to manage is up or down. A ping is launched:
He discovers that its ARP table has been updated:
So how does it work in background exactly ?
There is no entry in ARP table of the Windows7 related to IP 192.168.0.254, so an ARP message is broadcasted, telling :
Who has IP 192.168.0.254 ? Respond to 192.168.0.2 !”
Then the concerned party, the router, responds by an ARP reply message telling:
192.168.0.254 is at c2:01:2b:d4:00:00”
The ping is send to router because the employee computer knows the MAC address related to the IP on the LAN:
Echo request (ping)”
Finally the router responds to the pings with a ICMP reply. So the router is up on the LAN:
Echo reply (ping)”
Here is a network tape using Wireshark that summarize the network exchange:
So what is the vulnerability related to this simple protocol ?
The hacker will attack the employee Win7 computer to inspect all the communications.
First I have to turn on the IP forwarding. IP forwarding also known as IP routing or Internet routing is a process used to determine which path a packet or datagram can be sent.The process uses routing information to make decisions and is designed to send a packet over multiple networks.
It will be used to forward the packet from the victim to the router after being intercepted by the hacker:
Now I will poisoned the ARP cache table of both the victim and the router. So I will two commands in parallel:
1) I will poison the ARP table of 192.168.0.2 by telling him that 192.168.0.254 is at 192.168.0.1’s MAC address. To do so, I forward to him my MAC address like the MAC address corresponding to 192.168.0.254
2) I will poison the ARP table of 192.168.0.254 by telling him that 192.168.0.2 is at 192.168.0.1’s MAC address. To do so, I forward to him my MAC address like the MAC address corresponding to 192.168.0.2
I launch the attack!
On Wireshark we can see the ARP bombing:
Now, the hacker opens up a Wireshark console to inspect all traffic outgoing from the LAN:
All the unciphered traffic can be analyzed and usernames:passwords can be retrieved for identity usurpation !
Network flow explanation
Here how the attack works. First I resume the ARP tables on the LAN originally:
ARP table of the devices before the attack:
Windows 7 client
ARP table of the devices after the attack:
Windows 7 client
Here is the ARP flow in background with still the same topology:
The hacker knows the IP of a host on the LAN due to a previous recon scan but he don’t have a clue about its MAC address.
Who has IP 192.168.0.2 ? Respond to 192.168.0.1 !”
The concerned party responds to the hacker giving its MAC address:
192.168.0.2 is at 08:00:27:85:c5:cd”
The hacker knows the IP of its gateway due to its network configuration but he wants the MAC address associated:
Who has IP 192.168.0.254 ? Respond to 192.168.0.1 !”
The network interface of the router connected on the user LAN responds:
IP 192.168.0.254 is at c2:01:2b:d4:00:00”
Now the hacker will send false ARP declaration to spoof ARP table and set the MiTM. First the W7 client is poisoned:
192.168.0.254 is at 08:00:27:27:06:d4 !”
Then, the router ARP table is poisoned with a false ARP message from the hacker:
IP 192.168.0.2 is at 08:00:27:27:06:d4”
Now if the client wants to reach the webserver, the request will be forward first to the hacker and then to the webserver:
HTTP GET /WebServerDirectory”
Then, the hacker route the packet toward the network exit node:
HTTP GET /WebServerDirectory”
The Wireshark tape is alike:
The HTTP interception flow is alike:
The best solution is to monitor traffic by configuring VLAN.
In the topology above, I have done port-based VLAN.
You can also:
-Configure a rule to raise an alert if too many ARP message are spread on the network in a short period of time [SOC]
-Only trusted secure protocols such as HTTPS, SSH… [in-depth defense]
ARP spoofing is a long time attack but still efficient.
Because it is on the layer 2, the remediation is not evident. But some hardening functions could be applied on the switch or on the network monitoring to detect ARP spoofing.
If you have any question, I will be glad to answer you back ????
Also have my twitter account, gr3g0v1tch !