ARP Poisoning
by sirchodeARP Poisoning has become a recent fascination of mine, and I don't really know why. I've always loved networking so learning about such a simple exploit triggered something inside me. This page will hopefully contain everything I've learned about ARP Poisoning, from what it is to how it's done and how to protect against it.
This is such a cliché statement but it applies: I don't condone or encourage putting these techniques into practice in a malicious way. I hope that anyone reading this is mature enough to understand that this is an exercise in knowledge, not a guide for wannabe hackers that think they have something to gain from it. Needless to say, the techniques seen here can get you into serious trouble, so don't be stupid.
What is it?
What is ARP?
To understand ARP Poisoning you have to understand ARP, and fortunately this isn't tough since ARP is such a ridiculously simple protocol. It stands for Address Resolution Protocol and it's the process by which computers in a LAN determine a MAC address when given an IP address. There are only two steps to the ARP process: Asking for an address and receiving an answer. That's it.Keep in mind that an Ethernet LAN operates on MAC addresses, not IP addresses. IP addresses must be converted into MAC addresses in such an environment, and ARP is the protocol used for this.
If you were to open up a command prompt and type ping 192.168.0.55 , your computer would first broadcast a signal to all the computers within earshot saying, "Hey, which one of you is 192.168.0.55?" All the computers would ignore the question since it doesn't apply to them and they've got other stuff to worry about, but the computer at 192.168.0.55 would reply with its MAC address: "Hey, I'm 192.168.0.55, my MAC address is 00:0F:73:09:E5:A6." Your computer would stick this information in its ARP table for future reference and proceed to send ping messages to the newly-learned MAC address 00:0F:73:09:E5:A6. Below is a screenshot of an Ethereal capture showing a series of ARP requests and a few ARP replies.
ARP Poisoning
Everything seems pretty neat until you realize that ARP replies are just simply accepted from any source, valid or not, requested or not (Solaris is an exeption to this rule, however). ARP Poisoning is simply taking advantage of this fact by supplying false information.If you feel like getting hands-on, you can see ARP Poisoning in action on your own computer. Open up a command prompt and type ipconfig . You'll be shown your Default Gateway, take note of this. You can make a static entry to your own ARP table by using the command arp -s [IP address] [MAC address] , so to poison yourself you can type in something like arp -s xxx.xxx.xxx.xxx 00-11-22-33-44-55 where xxx.xxx.xxx.xxx is the Default Gateway you learned earlier. At this point you can try to ping a site like google.com and notice you can't, since your computer now thinks its gateway is some non-existent MAC address and therefore can't communicate with the outside world. To delete this false ARP entry type arp -d xxx.xxx.xxx.xxx and try pinging google.com again. Your computer will use ARP to obtain your gateway's correct MAC address and proceed to function like normal.
Man In the Middle
Perhaps the most common use of ARP Poisoning is to perform a Man In the Middle attack, sometimes called ARP Poison Routing. This consists of a user (who we will call Jerk) poisoning two other computers in order to act as a transparent proxy between them. Usually the Jerk will imitate the example demonstrated above and poison a gateway router in order to capture sensitive data headed to and from the internet.Man In the Middle attacks will be covered in-depth by this article.
Denial of Service
One other obvious attack made possible by ARP is a Denial of Service, which was also demonstrated in the example above. The Jerk could send ARP replies to every computer on a given network segment and tell them all that their gateway router is actually located at the MAC address DE-AD-BE-EF-4A-4A and cause quite an inconvenience.How is it done?
Programs
The program of choice for ARP Poisoning attacks is a program called Cain & Abel, which is actually two separate programs. Cain is installed locally on your own computer and Abel is basically a remote version of Cain. We'll only be concerned with Cain but you can read the documentation to learn more about Abel.A simple command-line tool for sending unsolicited ARP Reply packets is called Arpoison. From the readme: "This program sends out a custom ARP REPLY packet with the hardware and protocol address information of your choosing. Since ARP is a stateless protocol most operating systems will gladly update their ARP cache with whatever information you send them in your hand-crafted packet."
Another popular *NIX-based tool for ARP Poisoning and other networking "tricks" is Ettercap. I'd tell you more about it but I've never used it.
It's not really necessary, but a program would also be needed to sniff individual packets once they get re-routed to a Jerk's computer during a Man In the Middle attack. I personally use Ethereal, though there are plenty of alternatives if you feel like looking for them.
Getting Technical
Like I mentioned above, Cain & Abel is the program of choice for ARP-based attacks so that's what we'll be using also. The problem with Cain is that it's a bit overwhelming at first and hard to navigate, so I've made diagrams to help with this. The colored circles are intended to be followed in the same order as the colors of the rainbow: red, orange, yellow, green, blue, etc. With that understood, let's get started.Find hosts on your network
First off, you need to do a scan to find devices on the network to poison.
- Red - Click Sniffer for the relevant ARP options.
- Orange - Make sure you're in the Hosts tab.
- Yellow - Turn on the sniffer.
- Green - Click the plus sign to search for hosts. You'll be presented with a dialog box that allows you limit the searching, but generally you'll want to just search the entire subnet.
Selecting hosts
Once Cain knows all the hosts it can reach, you need to specify which ones to poison.
- Red - Click the APR tab (Remember, APR stands for ARP Poison Routing which is synonymous with a Man In the Middle attack)
- Orange - Make sure you click on the root APR selection. As you can see, Cain is capable of many other types of attacks but we'll only deal with basic APR.
- Yellow - Make sure you click this pane to bring it into focus. The plus sign will be grayed out unless you do this.
- Green - Click the plus sign to select specific hosts. You'll be presented with the following dialog box:
Read the warning at the top because it's pretty important, you can really cause some disturbance with this so be careful. This box is actually pretty straightforward: You select a host on the left and a host on the right, and Cain will act as a Man In the Middle between them. You can only select one host in the left list, I'm pretty sure the program's author is trying to say, "Pick the default gateway unless you've got something else in mind." So pick the default gateway. As soon as you click on it, the list on the right will populate:
From here you can pick a single host or multiple hosts by holding down Shift or Ctrl. You know the drill. Click OK and you'll be brought back to the APR screen:
Each line shows two hosts that are about to be poisoned and also shows the number of packets flowing between them, I actually think it's pretty clever. As soon as you're ready, you can click the button circled in red to begin the Man In the Middle attack.
During the attack
You'll see a lot of activity on this screen during the attack, here's a quick image of what to expect:
The top pane is referred to as the "LAN View" and the bottom pane is the "WAN View". Basically all this means is that the top pane shows you what's happening within the LAN and the bottom pane shows you all the activity leaving or coming into the LAN. A status of "Full-routing" means that the attack is fully functional and you truly are the Man In the Middle, while a status of "Half-routing" implies that you're only a Man In the Middle for traffic flowing in one direction, not both directions. As you'll see, the status indicators bounce around a lot and it gets pretty crazy.
Cain is specifically designed to sniff for passwords, so clicking on the Passwords tab will show you a list of all the passwords it found during the attack. I'd show you a screenshot but then you'd know my FTP password and that's not cool.
In addition to just letting Cain do its thing, you can open up Ethereal and check out each individual packet you're re-routing. The amount of stuff you can see with this technique is actually pretty scary.
How can I prevent it?
Arpwatch
Arpwatch is a *NIX-based program that monitors MAC/IP address association on a network and can send alerts when it notices suspicious activity. Arpwatch's official site is located here but it's not really informative, so I'll also link to this page on SecurityFocus and a Google search.Port Security
If you're in some semblance of a corporate environment, chances are you're using Cisco Catalyst switches for your Ethernet LAN(s), and the good news is that most Catalyst switches have something called Port Security which is actually pretty handy. Port Security basically allows you to limit the number of MAC addresses permitted per port. If the limit is exceeded you can tell the switch to cripple or even disable the port, which means an attacker could get stopped dead in his tracks if he makes a wrong move.An example configuration for Port Security would look something like this:
For more detailed information, see Cisco's documentation.
Manually configuring MAC addresses
To be quite honest, something like this is a bit excessive and paranoid. It is entirely possible to configure all equipment on a LAN with statically-assigned MAC addresses but it's such a big headache and waste of time that it should only be considered if you're a network consultant trying to royally screw your customers.Conclusions
So it must be pretty clear by now that this simple and glaring flaw is just waiting to be exploited by hackers all over the world, right? Nah. In most LAN environments there really isn't a reason to be afraid of something like this happening, possible exceptions being if you're in a more public environment like a university or internet café (and even then, it's pretty much a non-issue). I honestly think this is just something fun to mess around with and learn about in a controlled environment, if anything for the simple benefit of knowing it exists and knowing how to prepare for it.
Links
- Address Resolution Protocol Poisoning and Man-in-the-Middle Attacks by Robert Wagner - A well-done analysis on ARP Poisoning with many more resources and programs not mentioned here.
- Anatomy of an ARP Poisoning Attack by Corey Nachreiner - Another good overview of ARP Poisoning, not very in-depth but nice.
- ARP Poisoning In Practice by DiabloHorn and Kimatrix - A decent essay based on an experiment in a controlled lab, they illustrate the use of Ethereal to capture e-mail messages and FTP passwords.
This article is ©2008 by the respective authors. Reproduction is prohibited without express permission from all contributors.