Anatomy of an ARP Poisoning Attack _ WatchGuard

of 6
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  9/29/2014Anatomy of an ARP Poisoning Attack | WatchGuard United StatesAnatomy of an ARP Poisoning Attack  ExploreSolutionsYour IndustryYour Network Why WatchGuard: Three ReasonsSpecial OffersProductLinesXTM & UTM AppliancesFireware® XTMStandalone AppliancesAccessoriesSubscriptions & UpgradesManaging WatchGuard AppliancesVPN SolutionsCertificationsProduct Resources LearningLab Security ArticlesVideo TutorialsWatchGuard FeedsWhite PapersCase Studies Network Security GlossaryExpertSupportLiveSecurity® ServiceComparison ChartsGet Help NowFind a Training Partner    9/29/2014Anatomy of an ARP Poisoning Attack | WatchGuard Security ArticlesVideo TutorialsWatchGuard FeedsWhite PapersCase Studies Network SecurityGlossary Compare Appliances Anatomy of an ARP PoisoningAttack   by Corey Nachreiner, WatchGuard Network Security AnalystHackers lie. Skillful hackers lie well. And well-rounded hackers can lie both to people and to machines.Lying to people, known as social engineering, involves tactics (detailed at length by convicted hacker Kevin Mitnick ) such as posing as a company's employee sothe company's real employees will blab secrets freely. Lying to machines involveslots of different techniques, and a commonly used one -- ARP Cache Poisoning --is the focus of this article. ARP poisoning enables local hackers to cause generalnetworking mayhem. Because it's mostly incurable, every administrator should beaware of how this attack works. ARP Refresher In Foundations: What Are NIC, MAC, and ARP?, we explained that Address Resolution Protocol (ARP) is how network devices associate MAC addresses with IP Addresses so that devices on the local network can find each other. ARP is basically a form of networking roll call.ARP, a very simple protocol, consists of merely four basic message types:1. An ARP Request . Computer A asks the network, Who has this IPaddress? 2. An ARP Reply . Computer B tells Computer A, I have that IP. My MACaddress is [whatever it is]. 3. A Reverse ARP Request (RARP) . Same concept as ARP Request, butComputer A asks, Who has this MAC address? 4. A RARP Reply . Computer B tells Computer A, I have that MAC. My IPaddress is [whatever it is] All network devices have an  ARP table , a short-term memory of all the IPaddresses and MAC addresses the device has already matched together. The ARPtable ensures that the device doesn't have to repeat ARP Requests for devices ithas already communicated with.Here's an example of a normal ARP communication. Jessica, the receptionist, tellsWord to print the latest company contact list. This is her first print job today. Her computer (IP address wants to send the print job to the office's HPLaserJet printer (IP address So Jessica's computer broadcasts an  9/29/2014Anatomy of an ARP Poisoning Attack | WatchGuard ARP Request to the entire local network asking, Who has the IP address, as seen in Diagram 1.All the devices on the network ignore this ARP Request, except for the HPLaserJet printer. The printer recognizes its own IP in the request and sends an ARPReply: Hey, my IP address is Here is my MAC address:00:90:7F:12:DE:7F, as in Diagram 2. Now Jessica's computer knows the printer's MAC address. It sends the print jobto the correct device, and it also associates the printer's MAC address of 00:90:7F:12:DE:7F with the printer's IP address of in its ARP table. Hey ARP, Did You Know Gullible Is Not in theDictionary? The founders of networking probably simplified the communication process for ARP so that it would function efficiently. Unfortunately, this simplicity also leads tomajor insecurity. Know why my short description of ARP doesn't mention any sortof authentication method? Because in ARP, there is none.ARP is very trusting, as in, gullible. When a networked device sends an ARPrequest, it simply trusts that when the ARP reply comes in, it really does come fromthe correct device. ARP provides no way to verify that the responding device isreally who it says it is. In fact, many operating systems implement ARP so trustinglythat devices that have not made an ARP request still accept ARP replies from other devices.OK, so think like a malicious hacker. You just learned that the ARP protocol hasno way of verifying ARP replies. You've learned many devices accept ARP replies before even requesting them. Hmmm. Well, why don't I craft a perfectly valid, yetmalicious, ARP reply containing any arbitrary IP and MAC address I choose?Since my victim's computer will blindly accept the ARP entry into its ARP table, Ican force my victim's gullible computer into thinking any IP is related to any MACaddress I want. Better yet, I can broadcast   my faked ARP reply to my victim'sentire network and fool all   his computers. Muahahaha haa! Back to reality. Now you probably understand why this common technique iscalled ARP Cache Poisoning (or just ARP Poisoning): the attacker lies to a deviceon your network, corrupting or poisoning its understanding of where other devicesare. This frighteningly simple procedure enables the hacker to cause a variety of networking woes, described next. All Your ARP Are Belong To Us! The ability to associate any IP address with any MAC address provides hackerswith many attack vectors, including Denial of Service, Man in the Middle, and  9/29/2014Anatomy of an ARP Poisoning Attack | WatchGuard MAC Flooding. Denial of Service A hacker can easily associate an operationally significant IP address to a falseMAC address. For instance, a hacker can send an ARP reply associating your network router's IP address with a MAC address that doesn't exist. Your computers believe they know where your default gateway is, but in reality they'resending any packet whose destination is not on the local segment, into the Great BitBucket in the Sky. In one move, the hacker has cut off your network from theInternet. Man in the Middle A hacker can exploit ARP Cache Poisoning to intercept network traffic betweentwo devices in your network. For instance, let's say the hacker wants to see all thetraffic between your computer,, and your Internet router, The hacker begins by sending a malicious ARP reply (for whichthere was no previous request) to your router, associating his computer's MACaddress with (see Diagram 3). Now your router thinks the hacker's  computer is  your   computer. Next, the hacker sends a malicious ARP reply to  your   computer, associating hisMAC Address with (see Diagram 4). Now your machine thinks the hacker's computer   is your router  .Finally, the hacker turns on an operating system feature called  IP forwarding  . Thisfeature enables the hacker's machine to forward any network traffic it receives fromyour computer to the router (shown in Diagram 5). Now, whenever you try to go to the Internet, your computer sends the network traffic to the hacker's machine, which it then forwards to the real router. Since thehacker is still forwarding your traffic to the Internet router, you remain unaware thathe is intercepting all your network traffic and perhaps also sniffing your clear text passwords or hijacking your secured Internet sessions. MAC Flooding  MAC Flooding   is an ARP Cache Poisoning technique aimed at network switches.(If you need a reminder about the difference between a hub and a switch, see thissidebar .) When certain switches are overloaded they often drop into a hub mode.In hub mode, the switch is too busy to enforce its port security features and just broadcasts all network traffic to every computer in your network. By flooding aswitch's ARP table with a ton of spoofed ARP replies, a hacker can overload many
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks