Presentation is loading. Please wait.

Presentation is loading. Please wait.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

Similar presentations


Presentation on theme: "ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network."— Presentation transcript:

1 ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network. Scott Helme - 6 th Aug scotthel.mescotthel.me

2 Introduction The Address Resolution Protocol (ARP) facilitates communications on a Local Area Network (LAN). It does this by providing a means for clients to resolve a Layer 3 Internet Protocol (IP) Address ( ) to a Layer 2 Hardware Address (af:23:b4:7d:f5:c9) or Media Access Control (MAC) address. The ARP protocol employs no form of security or authentication and is a simple request and reply protocol.

3 Example For Scott to send packets to Dave over the LAN he needs to know Dave’s MAC address. ScottDave ARP Request Who is , FF:FF:FF:FF:FF:FF? I’m Scott, , A3:DD:B4:12:3A:4F A3:DD:B4:12:3A:4F B7:C2:11:F2:BB:E6 ARP Response Hi Scott, , A3:DD:B4:12:3A:4F. I’m Dave, , B7:C2:11:F2:BB:E6.

4 Example Scott A3:DD:B4:12:3A:4F ARP Request Who is , FF:FF:FF:FF:FF:FF? I’m Scott, , A3:DD:B4:12:3A:4F. Scott was able to send the ARP request to Dave without knowing his MAC address by using the broadcast address FF:FF:FF:FF:FF:FF. A packet with the broadcast address as the destination is delivered to every client on the current LAN segment, ensuring Dave will receive it. Once we have Dave’s MAC address, we can send packets to him instead of everyone on the network.

5 Example Dave B7:C2:11:F2:BB:E6 ARP Response Hi Scott, , A3:DD:B4:12:3A:4F. I’m Dave, , B7:C2:11:F2:BB:E6. When Dave received the ARP request, he identified it was for him and responded to the request using the details in the initial request.

6 ScottDave A3:DD:B4:12:3A:4F B7:C2:11:F2:BB:E6 Example Now Scott and Dave have exchanged details they can communicate with each other directly. They both store a record in their ARP Cache of the other clients IP and MAC address so they can perform a lookup later if needed. This prevents the need for subsequent ARP requests and reduces network traffic.

7 The Problem ScottDave A3:DD:B4:12:3A:4F B7:C2:11:F2:BB:E6 During the ARP request/response exchange neither client took any steps to verify the identity of the responding client, or the authenticity of the response sent. This presents an opportunity for a 3 rd party to impersonate clients on the network.

8 ScottDave A3:DD:B4:12:3A:4F B7:C2:11:F2:BB:E6 The Problem Attacker ARP Requests are sent to all clients on the network as they use the broadcast MAC address FF:FF:FF:FF:FF:FF C4:D3:46:B1:EE:BA

9 ScottDave A3:DD:B4:12:3A:4F B7:C2:11:F2:BB:E6 Attacker ARP Responses are not verified and if any client receives a new response they will update their ARP cache assuming the sender has changed their MAC or IP address C4:D3:46:B1:EE:BA The Problem Hi Scott, , A3:DD:B4:12:3A:4F. I’m Dave, , C4:D3:46:B1:EE:BA.

10 ScottDave A3:DD:B4:12:3A:4F B7:C2:11:F2:BB:E6 Attacker As long as the attacker regularly sends the forged response to the target (Scott), they will continue to send traffic to the wrong location. If the Attacker then resends the traffic to the correct destination there is no interruption on the LAN and Dave is not aware the Attacker can view his traffic C4:D3:46:B1:EE:BA The Problem Hi Scott, , A3:DD:B4:12:3A:4F. I’m Dave, , C4:D3:46:B1:EE:BA.

11 ScottDave A3:DD:B4:12:3A:4F B7:C2:11:F2:BB:E6 Attacker C4:D3:46:B1:EE:BA The Problem To Dave, , C4:D3:46:B1:EE:BA. The password is “SuperSecret1234”. From Scott, A3:DD:B4:12:3A:4F To Dave, , B7:C2:11:F2:BB:E6. The password is “SuperSecret1234”. From Scott, A3:DD:B4:12:3A:4F This is a successful implementation of a MITM attack and allows the attacker to view all traffic sent by Scott to Dave.

12 The Scope Attacker C4:D3:46:B1:EE:BA At this point, the attacker can choose which targets on the network he wants to MITM and impersonate them using forged ARP packets to poison their ARP Cache. Client

13 The Bigger Problem A gratuitous ARP can be sent by a client at any point, usually when their IP address or MAC address has changed for some reason. This allows other clients to update their ARP cache and maintain current records. An attacker can send out a forged gratuitous ARP without needing to wait for an ARP request from a target on the network. Default Gateway C4:D3:46:B1:EE:BA D7:AD:F1:C3:A4:D9 To Everyone! Here are my updated details! C4:D3:46:B1:EE:BA Broadcast The attacker has just told all clients on the network that he is the default gateway! Attacker

14 The Bigger Problem C4:D3:46:B1:EE:BA Attacker Default Gateway D7:AD:F1:C3:A4:D9 Client Here the attacker can monitor all Internet traffic on the LAN that isn’t being sent using TLS. He could also simply not forward on the traffic and bring the entire network down as no clients would be able to communicate at all. This is known as a Denial of Service (DoS) attack.

15 Mitigation There is no replacement for ARP on a LAN so ARP Cache Poisoning is a difficult threat to defend against. You can create static ARP entries on client machines for important things like the default gateway. The only problem is if the IP or MAC genuinely changes no client will listen to the new details and depend upon the incorrect static entries which now need to be updated. ARP Cache Poisoning actually has genuine advantageous uses. If a web server on your LAN went down, you could invisibly direct all clients to a backup server without needing to alter any configurations. Simply broadcast a forged ARP packet with the MAC address for the new server. You can employ monitoring software to listen and try to detect forged ARP packets. They are easy to spot by maintaining a historic record of ARP broadcasts and looking for an ARP packet with the same IP address but a different MAC address to one previously reported.

16 Conclusion Whilst you could statically assign all ARP entries on the network this is not a realistic solution and near impossible to maintain on large networks. Detection software can let you know when someone is attempting to ARP poison clients on your network and event attempt to mitigate it but this is still a reactive measure and not a form of prevention. ARP Cache Poisoning presents a serious threat over a LAN (this includes WiFi) which stems from an inherent lack of security in the protocol itself. The easiest way to protect your Internet traffic whilst using a network that may contain malicious clients is to use sites protected with TLS. As TLS offers end to end encryption the attacker would only be able to view the encrypted version of your traffic and as such it is useless to them. There are of course other options like using a Virtual Private Network (VPN), which will be covered in a later presentation, but require considerable cost and maintenance.

17 This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of this license, visit Thanks You can find more info covering this and other forms of attack on my blog: Please feel free to share this information generously but do provide attribution back to my site.


Download ppt "ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network."

Similar presentations


Ads by Google