Before dive into ARP Spoofing, let understand what is ARP(Address Resolution Protocol) means. The logical address (IP address) is used by machines to send and receive messages. But the physical address (MAC address) in layer 2 of the OSI model is responsible for the actual communication to happen. So we should get the destination MAC address which helps in communicating with other devices. This is where ARP comes into the picture. It is the protocol that is responsible for the mapping of IP addresses to their corresponding MAC addresses. The ARP protocol provides two basic functions;

  • Resolving IPv4 addresses to MAC addresses: For a frame to be placed on the LAN media, it must have a destination MAC address. When a packet is sent to the Data Link Layer to be encapsulated into a frame, the node refers to a table in its memory to find the Data Link Layer address that is mapped to the destination IPv4 address. This table is called the ARP Table or the ARP Cache. The ARP table is stored in the RAM of the device. You can view your ARP cache by issuing the arp -a command in the Command Prompt or Windows Powershell. Each entry, or row, of the ARP table, has a pair of values as an IP Address and a MAC address. The relationship between the two values is called a Map. It simply means that you can locate an IP address in the table and discover the corresponding MAC address. The ARP table caches the mapping for the devices on the LAN.
  • Maintaining a cache of mappings: The ARP table is maintained dynamically. There are two ways that a device can gather MAC addresses. One way is to monitor the traffic that occurs on the local network segment. As a node receives frames from the media, it can record the source IP and MAC address as a mapping in the ARP table. As frames are transmitted on the network, the device populates the ARP table with address pairs. Another way a device can get an address pair is to broadcast an ARP request. ARP sends a layer 2 broadcast to all devices on the Ethernet LAN. The frame contains an ARP request packet with the IP address of the destination host. The node receiving the frame identifies the IP address as its IP address and responds by sending an ARP reply packet back to the sender as a unicast frame. This response is then used to make a new entry in the ARP table. These dynamic entries in the ARP table are timestamped. If a device does not receive a frame from a particular device before the expiration of the timestamp. Then the entry for that device is removed from the ARP table. Additionally, static map entries can be entered in an ARP table, but this is rarely done. Static ARP table entries do not expire over time and must be manually removed.

ARP Process of making requests to the IPs outside LAN

First of all, Host A is requesting an IP address that is not in the range of the Local Area network IPs. Therefore, it will ask for the MAC address of the default gateway IP (192.186.1.254 in this cases) by sending a layer 2 broadcast message to all the hosts in the LAN. As shown in figure 4, Host B will ignore the message as it is not matching with its IP. But router default gateway recognizes it as its IP address and responds to Host A by including the MAC address in the response. After that, Host a will dynamically cache that mapping in ARP cache. Now whenever sending traffic to the outer networks, Host A will use that MAC address together with the default gateway IP address for the generation of frames for the Data Link Layer of the OSI model.

ARP Spoofing/Poisoning

ARP Spoofing is a technique where the attacker sends Malicious ARP Packets to the default gateway and to the host who is communicating with the default gateway in the local area network. The main intention is to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. It allows the attacker to modify traffic and intercept data frames. As a result, leading to a comma attacking terminology called the Man in the Middle Attack (MITM).

Imagine the Host B in the above scenario is an Unethical Hacker/Attacker. He/She can use some hacking tools like Ettercap and modify the ARP cache of the host and default gateway. Then listen and capture the data frames exchange between them. Let see how we can use a tool like Ettercap to achieve such tasks.

Usage of Ettercap

If you have a Kali Linux operating system Ettercap program is by default installed in the system. Ettercap is a graphical interface that’s very beginner-friendly, unlike many of the programs that are command-line-based only. If you don’t have it in your system by default, use the following command to install it.

First, open the Ettercap program then you will get the display as shown in figure 13. Then click the Tick icon on the top right corner to run the Ettercap programs, as shown in figure 14. After that click the Three Dot icon and go inside Host. After that, select the Scan for hosts option. To display the list of scanned hosts on the network, again go inside the Host and select the Host list option. Now you can see the hosts available in the local network, as shown in figure 19 below.

To initiate the ARP poison attack click on the host and the default gateway to add them to the target, as shown in figures 20 and 21. After that, to start the ARP poison attack, click the Globe Icon in the top right corner and select the ARP Poisoning MITM option, as shown in figure 22. Now, as the attacker, you can use the Wireshark tool to trace the packet transfer between the host and the default gateway. Let’s image as the victim you are communicating with the HTTP protocol-based website. The moment you enter the username and password for that website, the attacker can filter that traffic and obtain the username and password through Wireshark, as shown in figures 24 and 25. Also, it will notify the attacker’s Ettercap program, as shown in figure 26. The password and username are visible due to the usage of the unencrypted HTTP protocol.

Nowadays, ARP Poisoning is rare and avoided due to reasons like the usage of encrypted communication in HTTPS protocol, Dynamic ARP Inspection, Static ARP Entries, VPNs, and Packet Filters. This article is prepared to make awareness of such exploitations toward users and developers. Always use this knowledge to solve troubles that happen to others and yourself, but not to cause any trouble for others. Knowing how to use these exploits is like having superpowers. The action you do with your power defines who you are, whether you are a Superhero😇✌ or a Supervillain 😈👎.

Software Engineer at Virtusa, Graduate of Sri Lanka Institute of Information Technology (SLIIT).