Explore ARP Poisoning with Examples

9) ARP poisoning

In this tutorial we will learn -

• What is IP and Mac address
• What is Address Resolution Protocol (ARP) Poisoning?
• Hacking Steps: Configuring Static ARP on Windows

What are IP and MAC addresses

IP Address is an abbreviation for Internet Protocol Address. An Internet Protocol address is used to uniquely identify a computer or device such as printers, storage drives on a computer network. There are currently two versions of IP addresses. IPv4 uses 32-bit numbers. Due to the massive growth of the Internet, IPv6 was developed, which uses 128-bit numbers.

IPv4 addresses are formatted into four groups of numbers, separated by periods. The minimum is 0 and the maximum is 255. An example of an IPv4 address looks like this;
IPv6 addresses are formatted in groups of six numbers, separated by full colons. Group numbers are written in 4 hexadecimal digits. An example IPv6 address looks like this;
2001: 0db8: 85a3: 0000: 0000: 8a2e: 0370: 7334
To make it easier to represent IP addresses in text format, leading zeros have been omitted and group of zeros have been omitted. The above address is displayed in simplified format as;
2001: db8: 85a3 ::: 8a2e: 370: 7334
MAC Address is an acronym for Media Access Control Address. MAC addresses are used to uniquely identify network interfaces for communication at the physical layer of the network. MAC addresses are usually embedded on the network card.
A MAC address is like a serial number for a phone, and an IP address is like a phone number.


We will assume that you are using windows for this exercise. Open a command prompt.
Enter the command
ipconfig / allYou will receive detailed information about all network connections available on your computer. The results shown below show that the broadband modem is showing MAC address and IPv4, and the wireless network is showing IPv6.

What is ARP Poisoning?

ARP is an acronym for Address Resolution Protocol . It is used to translate an IP address into a physical address [MAC address] on the switch. The host sends an ARP broadcast over the network, and the recipient computer responds with its physical address [MAC address]. The resolved IP / MAC address is then used for communication. ARP poisoning sends spoofed MAC addresses to the switch so that it can associate the spoofed MAC addresses with the IP address of a genuine computer on the network and intercept traffic .
ARP poisoning control measures
Static ARP entries : These can be defined in the local ARP cache, and the switch is configured to ignore all automatic ARP reply packets. The disadvantage of this method is that it is difficult to maintain on large networks. The IP / MAC address mapping must apply to all computers on the network.
ARP Poisoning Detection Software : These systems can be used to cross-validate IP / MAC address resolution and authenticate it. Uncertified IP / MAC address resolutions can be blocked.
Operating system security : This measure depends on the operating system being used. Following are the main methods used by various operating systems.
Linux based : They work by ignoring unsolicited ARP reply packets.
Microsoft Windows : ARP cache behavior can be configured through the registry. The following list lists some programs that can be used to protect networks from being intercepted;

AntiARP - provides protection against both passive and active sniffing
Agnitum Outpost Firewall - Provides protection against passive eavesdropping
XArp - provides protection against both passive and active sniffing
Mac OS : ArpGuard can be used to provide security. It protects against both active and passive inhalation.


Hacking Steps: Configuring ARP Entries on Windows

We are using Windows 7 for this exercise, but the commands should work on other versions of windows as well.
Open Command Prompt and enter the following command
arp –aHERE,
Apr calls the ARP configuration program located in the Windows / System32 directory
-a  is an option to display the contents of the ARP cache

You will get results similar to the following

Note . Dynamic entries are added and removed automatically when using TCP / IP sessions with remote computers.
Static entries are added manually and removed when the computer is restarted, the network card is restarted, or other actions that affect it.

Adding static entries

Open a command prompt, then use the ipconfig / all command to get the IP address and MAC address.

The MAC address is represented using a physical address and the IP address is IPv4Address.
Enter the following command
arp –s 60-36-DD-A6-C5-43 

Note: The IP and MAC address will be different from the ones used here. This is because they are unique.
Use the following command to view the ARP cache
arp –aYou will get the following results

Please note that the IP address has been mapped to the MAC address we provided and is of static type.

Deleting an ARP Cache Entry

Use the following command to delete the entry
arp –d 
PS ARP poisoning works by sending spoofed MAC addresses to the switch

Previous Post Next Post