ARP spoofing — also known as ARP poisoning — is a type of man-in-the-middle attack where an attacker sits between a targeted victim and the router to listen in on their online traffic. This is a form of cyber attack carried out over a local area network (LAN) that involves sending malicious address ARP packets to a default gateway on a LAN in order to change the pairings in its IP to media access control (MAC) address table. Address resolution protocol (ARP) translates IP addresses into MAC addresses. Confused yet? You won't be for long since, by the end of this post, you'll not only understand ARP spoofing, but be able to demonstrate it. And as a result, you'll even learn how to protect yourself against these attacks.
How the Internet Transmits Data
Before diving into ARP spoofing, let's take a second to understand the internet's general communication systems. Don't worry — we'll be getting into the fun stuff very shortly, but it's important to understand why this attack works. Let's dive into three core areas: packets, MAC addresses, and IP addresses.
All of the information on the internet is transmitted via packets. Think of packets as packages that contain the data you need to send and just like sending a package through USPS or FedEx, you'll need to have the proper routing info on the envelope. You'll need to make sure it contains the recipient's name, as well as where they live — so, the "TO:" and "ADDRESS" as with packages. That's only half the information since you'll need to include your name (the "FROM:") and you own "ADDRESS." Now, where these values swap out is that your "TO:" and "FROM:" now use MAC addresses — instead of peoples names — and the "ADDRESS" is filled with IP addresses, as you can see in the figure below:
Lastly, let's talk about packets are transported using routers to sort and forward all the packets. Packets make their way through the internet, traveling from router-to-router just like packages travel from post office-to-post office. Got it? Good. Let's move on to our next core area: MAC addresses.
All devices on a network contains something call a network interface card (NIC). That means everything from your laptop to your cell phone has a NIC. Well, to be honest, everything that "talks" to the internet in some way has a NIC — so, anything from your gaming console to your smart fridge. Why is this? So the devices can both send packets, as well as receive them. Since the NIC is what contains the unique address of a MAC address, this is how the router can tell all of the devices on the network apart from one another.
MAC addresses are normally 48-bit numbers written in hexadecimal, so for example,
AC:F6:F7:B2:AE:81 — with the first group of three numbers containing a vendor-specific number. So, in our example,
AC:F6:F7 is from the vendor LG Electronics. And the second group of three numbers is whatever the vendor chooses to assign. And the "make" is so you don't have two devices ending up with the same MAC address on your network. Because, just imagine the headache of having two people with the same name living together (I'm looking at you John Sr. and John Jr.). Still with me? Great. Let's move onto the last part of packet identification: IP addresses.
I'm sure most of you are already aware of IP addresses and what they are, but just in case, here's a quick rundown. So, IP addresses can also identify machines on a network, but if that's true, why do we need MAC addresses at all?
Well, networks consist of hierarchical regions similar to how countries are split into states or provinces, which in turn, also have cities and towns. Now, because of the limitations of available IP addresses, not every device can be relied upon to use just IP addresses. For instance, an IPv4 address encodes the network hierarchy information in a 32-bit number. This number is typically represented in four sections separated by dots as in
192.168.3.1. IP addresses in the same region of this hierarchy also share the same upper-level bits and the further to the left of the IP address, the higher in the bit.
As one example, all machines on the University of Virginia campus have IPv4 addresses like
128.143.***.***. You might also run into this written like
220.127.116.11/16, since that's how a subclass is written using classless inter-domain routing (CIDR). But, luckily, you don't need to be an expert in this as subclass domains are a real monster to wrap your head around. All you need to know is that since IP addresses follow a particular structure, routers can use parts of the IP address to decide how to route a packet through the hierarchy the most efficient way. As a result, with a mixture of subnet, IPs and MAC addresses, your devices are able to easily function.
ARP Tables explained
Now that we've covered Internet 101, you now have a better understanding of the juggling act that occurs every time a packet is sent. Essentially, once a packet gets to the LAN, the network uses the packet's MAC address to determine the machine or device that it belongs to. But how does the router know what MAC address belongs to what IP address? Simple: It sends something called an ARP query to all machines on the network and the machines respond back with its MAC address. But — if your router had to go through that process every time it received a packet for sending and receiving — Netflix would still be a DVD rental business.
So, if performing that entire process of query and response to find a packet's destination (not to mention the best route), how do we accelerate it? That's where ARP tables come to the rescue. Once the router gets a response from an ARP query, it saves the response in an ARP table. So, by keeping track of this information, it limits the number of times it needs to ask what IP has the packet's MAC address.
Lastly, to summarize what we covered so far: MAC addresses identify who you are, IP addresses identify where you are and ARP tables keep track of the mapping.
ARP SPOOFING ATTACK 101
Now that we've covered the basics, let's get into the fun stuff. An ARP spoofing attack consists of two steps.
The first step is when an attacker sends a fake ARP response to the victim, saying that the attacker's device is the router for the LAN. This makes the victim's systems think that all of their packets need to be passed to the attacker before getting to the where it needs to go. This is done because — like the router — devices have ARP tables, so they don't need to keep reaching out when they want to send something.
The second step is when the attacker is sent packets from the victim, it then sends the packets over to the real LAN router. While you could just stop the traffic and not send it, this tactic wouldn't be much of a man-in-the-middle attack.
Now, while that's the bare minimum that you need in order to perform an ARP spoofing attack, if you really want to get your hands on even more data, you're going to need to go further with additional steps.
So, we're going to execute the same steps as before, but this time, we're telling the router that you're the victim machine — instead of telling the router you're the router. By doing this, you get to see and send the responses of unencrypted packets. Now that we know what an ARP spoofing attack, let's get into how to execute one.
Performing Your Own ARP Spoofing Attack
Before we perform an ARP spoofing attack, let's make sure we have all the requirements covered. A few tools you'll need are dsniff, netdiscover, arpspoof, and urlsnarf. While these tools can be swapped out — like changing dsniff for netcat or urlsnarf for wireshark — they're the ones I'm going to use for this demonstration. I'm also going to be executing this on a Ubuntu system to illustrate that you don't always need Kali Linux for hacking (I still encourage everyone to check out Kali though.). One piece of advice: Before installing via apt-get, always make sure to update regularly.
codebycody@TJOH:~$ sudo -i
codebycody@TJOH:~$ apt-get update
codebycody@TJOH:~$ apt-get install dsniff
Now, we can start looking for devices to target on the network using netdiscover:
Currently scanning: 172.27.139.0/16 | Screen View: Unique Host
27 Captured ARP Req/Rep packets, from 15 hosts. Total size: 1534
IP At MAC Address Count Len MAC Vendor / Hostname
192.168.0.1 08:02:8e:88:c3:cb 11 660 NETGEAR
192.168.0.3 e8:9f:80:7c:bd:2b 3 180 Unknown vender
As you can see above, the response gave us back the MAC address of the router — in this case, a NETGEAR device — as well as a target. And in order to allow your machine to perform port forwarding, you have to set a flag for your system to look for.
With Ubuntu and Kali, you set this flag by running the command
echo 1 > /proc/sys/net/ipv4/ip_forward. Now, we can start ARP spoofing by running the following command
arpspoofing -i eth0 -t <VICTIM_IP> <ROUTER_IP>. Just remember though: You need to run the command again, but now swapping the victim IP and the router IP. As a result, this will keep you in the middle for both outgoing and incoming responses.
Next, you can run urlsnarf to capture unencrypted packets being sent between the two devices, as follows:
codebycody@TJOH:~$ urlsnarf -i eth0
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
192.168.0.11 - - [14/Nov/2021:16:50:39 -0500] "GET http://thejoyofhacking.com/ HTTP/1.1" - - "-" "Mozilla/5.0 (Linux; Android 10; LM-G820) AppleWebkit/537.36 (KHTML, like Gecko) Chrom/95.0.4638.74 Mobile Safari/537.36
How to Protect Against ARP Spoofing Attacks
Although it's difficult to prevent an ARP spoofing attack, encrypting your internet traffic helps to protect your information from being stolen or modified. So, any traffic sent over an HTTPS connection is encrypted. However, manually checking to ensure that every URL you visit uses HTTPS is tedious, so the Electronic Frontier Foundation (eff.org) has created a web browser extension (for Chrome, Edge, Firefox, and Opera) called "HTTPS Everywhere" that ensures that all your web traffic goes over an HTTPS connection.
While just one defense, installing this plugin is a great way to keep your friends, family and yourself safe against ARP spoofing — and I hope that this blog could help to explain the concept.
Breaking down technical concepts into terms that the layperson can understand is what I enjoy most about the work I do, so check out more of my posts on my personal blog, The Joy of Hacking.
- Cody Michaels, Application Security Consultant
(This blog originally appeared on The Joy of Hacking.)