Friday, July 29, 2011

The art of ARP spoofing/flooding/poisoning

So far I was mostly concentrating on web hacking and its counter measures but in the recent past I have shifted my focus more onto wireless hacking. It is as big and tricky as wireless hacking but it requires more deeper understanding of the basics of networks. In one of my interviews I ws asked a question on ARP poisoning ( Thanks to Sachin Sir) wich I couldnt answer . Since then only I shifted my focus onto wireless hacking in LAN and soon on WAN too.
In my previous post I explained the basics of NIC,MAC and ARP. The main motive of that post was to build the grounds for ARP poisoning which I will explain in this post . In this post I will explain the concept behind it and then in my next tutorial on Cain and Able I will explain how it can be used for this hack.
In case you are not aware of technicalities of these terms then please refer the above link first .

ARP spoofing/flooding/poisoning

This is a technique to attack LANs that use arp as the address resolution technique. This attack involves sending fake or spoofed messages onto a LAN and fool other machines .

ARP spoofing is the technique of forging fake ARP messages on a network. It is possible to update a host's ARP cache with false information via spoofed ARP Replies. This technique is known as 'ARP Poisoning' and is the basis of more complex attacks. The most dangerous amongst them is Sniffing . Poisoning can also help in causing DoS type of attack too but here we will primilarly focus on Sniffing the ethernet data.

Sniffing is the term used to describe the reading of all packets on a network segment. This is relatively easy on a network connected via a hub as ethernet is a broadcast medium and the attacker would only have to place his NIC in promiscuous mode to 'sniff' all traffic on that network segment. In a switched network this is not possible. This is because a switch builds a table of MAC addresses and their associated ports when the switch is powered on. When a host transmits an ethernet frame the switch examines the destination MAC address and routes the frame to the associated port as given in the switch table. Therefore it is not possible to sniff any traffic on the network.
There are two methods to sniff traffic in a switched environment using ARP Poisoning. The first is for the attacker to send multiple spoofed ARP Replies to the switch. The switch will process these replies, updating its table. If this is done at a rapid rate the switches table will overflow and the switch will default to broadcasting all traffic to all ports. The attacker can now 'sniff' all network traffic.

The second method involves a 'man in the middle' style attack. I will explain this technique in detail by aid of an example. Below is a simple network segment with three hosts in a switched environment.

The attacker wishes to sniff all traffic that A sends to B and visa versa. This is currently not possible as the attacker is connected to the network via a switch. The correct IP addresses and MAC addresses for each host are as follows:
Host                IP Address             MAC Address
Host A           00:00:00:00:00:02
Host B           00:00:00:00:00:03
Attacker          00:00:00:00:00:04

Firstly the Attacker will poison A's ARP cache with a spoofed ARP Reply. The ARP reply will tell A that the IP address of B now has a MAC address of 00:00:00:00:00:04. Once A has processed the ARP Reply its ARP cache will look like this:
Host              IP Address             MAC Address
Host A           00:00:00:00:00:02
Host B           00:00:00:00:00:04
Attacker           00:00:00:00:00:04

Secondly the Attacker will poison B's ARP cache with a spoofed ARP Reply. The ARP reply will tell B that the IP address of A now has a MAC address of 00:00:00:00:00:04. Once B has processed the ARP Reply its ARP cache will look like this:

Host           IP Address            MAC Address
Host A           00:00:00:00:00:04
Host B           00:00:00:00:00:03
Attacker           00:00:00:00:00:04

Now whenever A sends B an ethernet frame the switch will route it to the attackers port, this will also be the case whenever B sends A an ethernet frame. The attacker may now 'sniff' the traffic whilst forwarding it on to its originally desired host.
The thing to keep in mind here is that the attacker must perform the two way poisoning so that it can recieve the packets as well as send it to the destination . In this way the connection will always be alive between the two communicating hosts and the attack will perform successfully.


To protect a hosts ARP cache from being poisoned it is possible to make it static. If an ARP cache has been made static it will not process any ARP Replies received unlike a dynamic ARP cache. This is not practical for large networks as the correct IP address to MAC address association of every host would have to be present in the cache of every host before it is made static. If one host changed its MAC address (e.g. after replacing a NIC) all hosts ARP caches would need to be updated manually. On windows a login script could automate this process however it has been reported Windows will still accept and process ARP Replies even when the ARP cache has been made static.
It is also possible to use Intrusion Detection Systems (IDS) to detect ARP Poisoning attacks. Arpwatch is a tool that will monitor a network for any changes in MAC address to IP address association, e-mailing the administrator should any such offence occur.

Here I have added a cool flash that will help you understand the whole process digramatically. I got it from oxid , the makers of Cain and Able.
Stay tuned for my next post on how to perform ARP poisoning using Cain and Able.



  1. it would be great if you can explain the process of using some sniffing tools along with the basics..thanks

  2. hey abhinav..nice post again..informative and intresting..i am looking for some tutorial on BIOS hacking.

  3. @lalit : thanks for the suggestion of BIOS hacking tutorial..i have never written anything over it because it can cause serious damage to the machine at times..still i will try to bring out somthing..stay tunned.

  4. Nice blog and very useful thank you for sharing us.
    FNO Call