If you are new to the terms cyber-attack, Man in the Middle (MitM) hacking or phishing then read on to know more about it. Hackers have devised several ways of intercepting data packets meant for a legitimate destination on the internet, reading the contents of the packets, if required they can make an attempt at decrypting the contents, and then either forwarding the packets to the intended destination or redirecting them to a very similar looking website where the unsuspecting user can fill out sensitive information like user names and passwords for bank accounts and other important assets.
This is a special type of hacking where the communication between the sender and the receiver is intercepted, processed, forwarded or diverted, resulting in serious risks of loss of important information. Such attacks are mostly done with malicious intentions, but in a few cases, these are carried out to test the communication within a system or for investigative purposes. This kind of attack is called Man in the Middle attack (MitM) and is akin to listening to a conversation between two parties on a telephone line. A special type of Man in the middle attack (MitM) is the ARP poisoning method.
Let’s dive into it to know what it is and how is it carried out.
Address Resolution Protocol (ARP) is a protocol that translates an IP address to a physical machine address, known as MAC address within a Local Area Network. It is a process that maps an IP address, typically a TCP IP address at layer 3 of the OSI model to a physically encoded unique address on the Network card on layer 2 of the OSI model. IP addressing happens at the software level while a MAC address is residing at the physical level.
ARP Poisoning or ARP spoofing is a kind of cyber-attack carried out within a Local Area Network, were modified and malicious ARP packets are sent to a gateway or a default gateway with the intention of diverting the data packets to a different device on the network. This kind of attack will need complete control of a machine on the LAN. The malicious ARP packets might include MAC address of the attacking machine mapped to a legitimate IP address on the network, thus sending the data packet to the attacker instead of its intended recipient.
Once the packet is received it may be diverted back to the intended recipient after exposing the contents thus making these kinds of attacks extremely difficult to detect. ARP poisoning is all used as a tool for DDoS attacks.
ARP uses a caching system to keep a record of IP addresses and MAC addresses. When a data packet arrives at a gateway (a machine that allows data to flow from one network to another), it requests the ARP to fetch the MAC address of a given IP. ARP then looks up the cache and maps the IP to a specific MAC on the network it is connected to and returns this information to the gateway which then passes the data packet to the intended recipient.
Attackers may poison ARP caches to plant themselves in the middle of a conversation between 2 devices on the network. With the malicious modification of the ARP cache, any legitimate communication is diverted to the attacker’s machine. Attackers may also send an ARP reply to all devices on the LAN, announcing the ownership of a particular IP address. The ARP protocol does not require authentication as it is a stateless communication.
To understand MAC spoof, you will need to understand MAC. Every device connected to a network, which is a network device like NIC or wireless card, possesses a physically encoded identification number that is unique worldwide. This number is called Media Access Code (MAC). This address never changes, but any references to this MAC can be masked with another MAC to divert the data packets to attackers. This activity of masking a legitimate MAC is called MAC spoofing.
ARP can also be used for extracting IP addresses and MAC addresses for mounting a smurf attack. Smurf attacks are a form of DDoS (Distributed Denial of Service) attacks that involves a large number of ICMP packets with the victims spoofed IP is broadcast in a computer network using an IP broadcasting address. With most IP addresses sending a response to the victim IP address resulting in choking of the victim’s computer if the number of responses is large enough. This can slow down the victim machine thus resulting in service delays to a point where it virtually stops.
Replay attacks can be also be carried out with the help of ARP poisoning and ARP cache poisoning. Replay attacks are a form of network attacks that intercept valid data transmission and maliciously retransmit to the recipient or Replay it to the recipient getting a response from the recipient that can be used to gain unauthorized access or mount further attacks. A replay attack is carried out as part of a spoofing attack using IP packet substitution in most cases.
ARP Spooning is also known as ARP poisoning, a Man in the Middle (MitM) attack that allows the attackers to intercept communication between network devices. Attackers manipulate the Address Resolution Protocol (ARP) in order to intercept all communications between two devices on the same LAN network. What primarily makes ARP spoofing possible that the protocol was not formed to be a security feature but a mere communication tool and it, therefore, lacks a verification procedure to ascertain the legitimacy of ARP responses received over the network.
ARP poisoning is a significant vulnerability that needs to be protected. It is an easily attainable attack using simple tools and even locally programmed in Python. Understanding the ARP poisoning or spoofing process is a first step towards identifying and preventing such attacks on your local area network.
So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give you an edge in this competitive world.