Khoa Pham
Posted on September 21, 2018
There’s a technique called ARP Spoofing.
ARP (Address Resolution Protocol) is a link layer protocol, it is used for resolving network layer address (IP) into link layer address (MAC).
When we want to send IP packet to another host (a computer in the same LAN, or the Gateway), we must know the destination IP address. In order for the packet to reach the destination, the destination IP address must be converted to the corresponding MAC address, so the transmission can be processed in the data link layer. To setup this mapping IP-MAC in the ARP table, we must first send ARP request as broadcast one to the LAN. In the happy case, the one with the IP in the ARP request will reply us with his MAC address.
Unfortunately, ARP is a stateless protocol. This means we continue to accept ARP replies and overwrite the old ones, even they have not expired yet. Worse, ARP does not define any authentication method to check whether the replies come from the trusted one (the one we want to receive the replies). These offer chances for the attacker to perform ARP Spoofing.
The theory behind ARP Spoofing
From the machine in the LAN, the attacker associate his MAC address and IP address of the target host (usually the Gateway), so that any traffic sent to that target host will come to the attacker. Here the attacker can decide whether to modify the packet, send or not.
There are 3 types of ARP Spoofing
Spoof the host computer
Spoof the Gateway
Spoof both the host computer and the Gateway
To see the ARP table
Open Command line (Windows) or Terminal (Mac OSX), and type
arp -a
This will list the MAC address associated with a specific IP. Note that some mappings maybe wrong due to ARP Spoofing
How to prevent against this ?
To prevent spoofing our computer, we can use softwares (search for Anti Netcut, Anti ARP spoofing, …) or set the static ARP ourselves. In fact, those softwares are based on setting static ARP. This way we set the static mapping IP-MAC for a specific host (computer or Gateway), and the OS definitely ignores all ARP replies for that IP.
Example of static ARP mapping associated with the Gateway, performed on the computer host
192.168.1.1 B4-B3–62–7C-CE-55
Here 192.168.1.1 and B4-B3–62–7C-CE-55 are the Gateway’s IP and MAC address
To prevent spoofing the Gateway, we must set static ARP on that Gateway. Go to the Gateway/Router interface, in its ARP setting, fill in the mapping IP-MAC for a specific host
Look for that Gateway manual or the related guide on how to perform this. This is devices dependent-method, but the theory remains the same.
Example of static ARP mapping associated with the computer host, performed on the Gateway
192.168.1.2 64–70–02-B2–9B-E1
Here 192.168.1.2 and 64–70–02-B2–9B-E1 are the machine host ‘s IP and MAC address. The machine host can be any computer in the LAN
How to set static ARP
Proposed that
192.168.1.1 The destination host ‘s IP
B4-B3–62–7C-CE-55 The destination host ‘s MAC
Local Area Connection Our network interface name
Open Command Line (Windows) or Terminal (Mac OSX) and type
Windows XP
To delete specific mapping
arp -d 192.168.1.1
To set specific mapping
arp -s 192.168.1.1 B4-B3–62–7C-CE-55
Windows 7 64bit
Maybe you need to open Command Line as Administration role
To delete specific mapping
netsh interface ipv4 delete neighbors 192.168.1.1
To set specific mapping
netsh interface ipv4 add neighbors “Local Area Connection” 192.168.1.1 B4-B3–62–7C-CE-55
Mac OSX
To delete specific mapping
sudo arp -d 192.168.1.1
To set specific mapping
sudo arp -s 192.168.1.1 B4-B3–62–7C-CE-55
Original post https://medium.com/fantageek/understanding-arp-at-the-mac-layer-464c4b800381
Posted on September 21, 2018
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.