An Introduction to ARP Cache Poisoning
Other posts in the ARP series: The ARP protocol explained, Viewing and manipulating the ARP cache on Windows and Linux
Remember that each network interface maintains a table of (IP->MAC) mappings in its ARP cache. The ARP protocol packet has the following structure:
-
- Structure of an ARP packet
There are two types of ARP packets: request and reply. The type is determined by the Operation Code field. The tabel below shows a scenario of normal operation:
- Host A sends an ARP request looking for the MAC address of Host B
- Host B responds with ARP reply.
| Field | ARP Request | ARP Reply |
|---|---|---|
| Source MAC | MAC of Host A | MAC of Host B |
| Source IP | IP of Host A | IP of Host B |
| Destination MAC | 00:00:00:00:00:00 | MAC of Host A |
| Destination IP | IP of Host B | IP of Host A |
| Operation Code | 1 | 2 |
This ARP packet is encapsulated in an Ethernet frame with the following values:
| Field | Payload: ARP Request | Payload: ARP Reply |
|---|---|---|
| Source MAC | MAC of Host A | Mac of Host B |
| Destination MAC | ff:ff:ff:ff:ff:ff (the broadcast MAC) |
Mac of Host A |
Normally an ARP request is sent because the sender wants to talk to a given IP address and needs to find out the associated MAC address. But sometimes the sender generates an ARP packet to inform the receivers about some information, instead of asking for information. This is called gratuitous ARP and is commonly used in the following situations:
- Duplicate address detection
- Change of MAC address
- Virtual IP
Routers and other network hardware may cache routing information gained from multiple gratuitous ARP packets. Read this page for more information. For gratuitous ARP packets, the source IP and destination IP fields are both equal to the sender’s IP. The sender MAC field is equal to the sender’s MAC. The operation code and recipient MAC fields may vary.
The implementation of the ARP protocol is so simple and straightforward that the receipt of an ARP reply at any time, even when there are no ARP requests outstanding, causes the receiving computer to add the newly received information to its ARP cache. This can be both a gratuitous or ‘normal’ ARP reply. Consequently, if the gateway computer were to receive a spoofed (fake) ARP reply from an attacking computer claiming that it was assigned an IP that belonged to some other computer, the gateway would trustingly and blindly replace its current correct entry with the maliciously misleading replacement! This is called ARP cache poisoning.
Another problem occurs if the malicious attacking computer were to send a similar ARP reply to the computer being hijacked, maliciously replacing the ARP cache entry for the gateway computer, then any subsequent traffic bound for the gateway would instead be sent to the attacking computer. If the attacker forwards any of the redirected traffic it receives onto the proper original computer — after inspecting and perhaps even modifying the data — neither of the intercepted computers will detect that all of their communications is now being relayed through an unknown and probably malicious intermediary computer. This is commonly referred to as a man-in-the-middle attack.
The lower image shows a man-in-the-middle attack scenario.
Thanks for the help, script works a treat. –