ARP Poisoning

poison

In this article, I will tell you about ARP packets, it’s poisoning and how to do it.

So, what is ARP poisoning? It is an attack method used to attack and sniff packets and passwords and preaty much anything in plain text from Ethernet wired network or a wireless one.

ARP works like this:
Let’s say you are at home and you have printer sharing turned on to print files remotely just like in the office. So you send a request to the printer to print the document. The document across the network is flowing with ARP packets, wich are supposed to be secure, but it is not, it doesn’t even have some sort of identification. So when you send ARP packet that is your document, someone on your network poisoning you can sniff that document before it goes to that printer and thus resulting in a MitM (Man in the Middle). This can be used to sniff not just documents sent to the printer, but like I said, prety much anything, starting from visited websites in clear text, ending with telnet sessions in clear text.

Afraid of being poisoned? Don’t worry much, because this attack is only exploitable if a hacker have access to your network (WEP key which is not so hard to get… ). Although you should be afraid when using a Public internet HotSpot, such as Caffe, malls… use SSH tunneling to encrypt your traffic and pwn the bad guy.

With ARP poisoning there can be launched several other attacks against the network and/or a person using a computer.

What attacks I hear you ask? There could be DoS, MAC flooding and MitM.
DoS – hacker can send ARP reply associating your network Router’s IP address with a MAC address that doesn’t exist on the local network resulting in a DoS, wich makes the computer to disconnect from the internet.

MAC flooding – When you overload a switch, it drops into Hub mode wich broadcasts all network traffic to every computer in your network so you can easily sniff packets of that network.

MitM – with this attack you can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network. For example, let’s say the hacker wants to see all the traffic between your computer, 192.168.1.3, and your Internet router, 192.168.1.1. So a hacker begins by sending a malicious ARP “reply” (for which there was no previous request) to your router, associating his computer’s MAC address with 192.168.1.3 wich makes your router think the hacker’s computer is your computer.

Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with 192.168.1.1 wich make your machine think that the hacker’s computer is your router.

Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker’s machine to forward any network traffic it receives from your computer to the router.

Now, whenever you try to go to the Internet, your computer sends the network traffic to the hacker’s machine, which it then forwards to the real router. Since the hacker is still forwarding your traffic to the Internet router, you remain unaware that he is intercepting all your network traffic and perhaps also sniffing your clear text passwords or hijacking your secured Internet sessions.

So how do I ARP poison someone? Well there is a tool called “Cain and Abel” wich can do just that with ease.

I assume you already have this tool and are a little familiar with it.

So, open “Cain” and click on Icon that looks like a network card -> click on “Sniffer” tab and right-click on the white area and choose the first option “Scan MAN adrresses” and press OK. Now if you have more PC’s connected you should see more then one in the list (I will use 192.168.1.4 as an example). One will always come up, it is your router. -> click on APR tab at the bottom and click once in the white table, a blue cross will light up, so click it choose your computer you want to intercept (192.168.1.4), after you click, address 192.168.1.1 will appear in the right table, click it and click OK -> select it and press the Nuclear-like icon on the bar, near that Network card icon. After the click it will start poisoning and catching everything that flows from that computer to the router. Passwords will apear in “Passwords” tab on the bottom.

“Cain and abel” is kinda a skiddy tool. Ettercap is much better for this job ;)

Leave a Reply

Your email address will not be published. Required fields are marked *