Arp cache poisoning

Today, I will talk about the ARP cache poisoning.

Table of contents:

  1. Introduction
  2. Topology
  3. How does ARP protocol works ?
  4. Technical attack
  5. Network flow explanation
  6. Remediation
  7. Conclusion

Introduction

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given network layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826,[1] which is Internet Standard STD 37.

ARP has been implemented with many combinations of network and data link layer technologies, such as IPv4, Chaosnet, DECnet and Xerox PARC Universal Packet (PUP) using IEEE 802 standards, FDDI, X.25, Frame Relay and Asynchronous Transfer Mode (ATM). IPv4 over IEEE 802.3 and IEEE 802.11 is the most common usage.

In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).

Here I will illustrate vulnerability in ARP protocol named ARP spoofing.

Image1.png

From the OSI model above, the ARP protocol is between layer 2 and 3 as it links a MAC address to an IP address.

Topology

Image1.png

How does ARP protocol works ?

The employee wants to configure the router. There is no entry in its ARP table:

Image1.png

So he has to know if the router he wants to manage is up or down. A ping is launched:

Image1.png

He discovers that its ARP table has been updated:

Image1.png

So how does it work in background exactly ?

There is no entry in ARP table of the Windows7 related to IP 192.168.0.254, so an ARP message is broadcasted, telling :

“Source:08:00:27:85:c5:cd
Destination: ff:ff:ff:ff:ff:ff
Who has IP 192.168.0.254 ? Respond to 192.168.0.2 !”

Image1.png

Then the concerned party, the router, responds by an ARP reply message telling:

“Source: c2:01:2b:d4:00:00
Destination: 08:00:27:85:c5:cd
192.168.0.254 is at c2:01:2b:d4:00:00”

Image1.png

The ping is send to router because the employee computer knows the MAC address related to the IP on the LAN:

“Source: 192.168.0.2
Destination: 192.168.0.254
Echo request (ping)”

Image1.png

Finally the router responds to the pings with a ICMP reply. So the router is up on the LAN:

“Source: 192.168.0.254
Destination: 192.168.0.2
Echo reply (ping)”

Image1.png

Here is a network tape using Wireshark that summarize the network exchange:

Image1.png

So what is the vulnerability related to this simple protocol ?

Technical attack

The hacker will attack the employee Win7 computer to inspect all the communications.

First I have to turn on the IP forwarding. IP forwarding also known as IP routing or Internet routing is a process used to determine which path a packet or datagram can be sent.The process uses routing information to make decisions and is designed to send a packet over multiple networks.
It will be used to forward the packet from the victim to the router after being intercepted by the hacker:

tmp.png

Now I will poisoned the ARP cache table of both the victim and the router. So I will two commands in parallel:

tmp.png

1) I will poison the ARP table of 192.168.0.2 by telling him that 192.168.0.254 is at 192.168.0.1’s MAC address. To do so, I forward to him my MAC address like the MAC address corresponding to 192.168.0.254
2) I will poison the ARP table of 192.168.0.254 by telling him that 192.168.0.2 is at 192.168.0.1’s MAC address. To do so, I forward to him my MAC address like the MAC address corresponding to 192.168.0.2

I launch the attack!

tmp.png

On Wireshark we can see the ARP bombing:

tmp.png

Now, the hacker opens up a Wireshark console to inspect all traffic outgoing from the LAN:

tmp.png

All the unciphered traffic can be analyzed and usernames:passwords can be retrieved for identity usurpation !

Network flow explanation

Here how the attack works. First I resume the ARP tables on the LAN originally:

Victim Hacker Router
08:00:27:85:C5:CD 08:00:27:27:06:D4 C2:01:2C:30:00:00

ARP table of the devices before the attack:

Router

tmp.png

Windows 7 client

tmp.png

ARP table of the devices after the attack:

Router

tmp.png

Windows 7 client

tmp.png

Here is the ARP flow in background with still the same topology:

tmp.png

The hacker knows the IP of a host on the LAN due to a previous recon scan but he don’t have a clue about its MAC address.
“Source:08:00:27:27:06:d4
Destination: ff:ff:ff:ff:ff:ff
Who has IP 192.168.0.2 ? Respond to 192.168.0.1 !”

Sans titre.png

The concerned party responds to the hacker giving its MAC address:
“Source: 08:00:27:85:c5:cd
Destination: 08:00:27:27:06:d4
192.168.0.2 is at 08:00:27:85:c5:cd”

Sans titre.png

The hacker knows the IP of its gateway due to its network configuration but he wants the MAC address associated:
“Source:08:00:27:27:06:d4
Destination: ff:ff:ff:ff:ff:ff
Who has IP 192.168.0.254 ? Respond to 192.168.0.1 !”

Sans titre.png

The network interface of the router connected on the user LAN responds:
“Source: c2:01:2b:d4:00:00
Destination: 08:00:27:27:06:d4
IP 192.168.0.254 is at c2:01:2b:d4:00:00”

Sans titre.png

Now the hacker will send false ARP declaration to spoof ARP table and set the MiTM. First the W7 client is poisoned:
“Source: 08:00:27:27:06:d4
Destination: 08:00:27:85:c5:cd
192.168.0.254 is at 08:00:27:27:06:d4 !”

Sans titre.png

Then, the router ARP table is poisoned with a false ARP message from the hacker:
“Source: 08:00:27:27:06:d4
Destination: c2:01:2b:d4:00:00
IP 192.168.0.2 is at 08:00:27:27:06:d4”

Sans titre.png

Now if the client wants to reach the webserver, the request will be forward first to the hacker and then to the webserver:
“Source: 192.168.0.2
Destination: 192.168.1.1
HTTP GET /WebServerDirectory”

Image1.png

Then, the hacker route the packet toward the network exit node:
“Source: 192.168.0.2
Destination: 192.168.1.1
HTTP GET /WebServerDirectory”

Image1.png

The Wireshark tape is alike:

Image1.png

The HTTP interception flow is alike:

Sans titre.png

Remediation

The best solution is to monitor traffic by configuring VLAN.
In the topology above, I have done port-based VLAN.

Sans titre.png

You can also:

-Configure a rule to raise an alert if too many ARP message are spread on the network in a short period of time  [SOC]

-Only trusted secure protocols such as HTTPS, SSH… [in-depth defense]

Conclusion

ARP spoofing is a long time attack but still efficient.
Because it is on the layer 2, the remediation is not evident. But some hardening functions could be applied on the switch or on the network monitoring to detect ARP spoofing.

If you have any question, I will be glad to answer you back ????

Also have my twitter account, gr3g0v1tch !

 

Leave a Reply

Your email address will not be published. Required fields are marked *