Tuesday, December 19, 2017

ARP Poisoning: What is it and How it Works


What is ARP?  
Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually  called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.

How ARP Works? 
When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply indicating so. The ARP program updates the ARP cache for future reference and then sends the packet to the MAC address that replied. Since protocol details differ for each type of local area network, there are separate ARP Requests for Comments (RFC) for Ethernet, ATM, Fiber DistributedData Interface, and other protocols. There is a Reverse ARP (RARP) for host machines that don't know their IP address. RARP enables them to request their IP address from the gateway's ARP cache. 

What is ARP poison and a man in the middle attack?
 The Address Resolution Protocol serves the function of determining the mapping between IP addresses and MAC hardware addresses on local networks. For example, a host that wants to send a message to IP address on the local network sends a broadcast ARP packet that requests the MAC for that IP. The host that owns the IP returns an ARP reply packet with its MAC address. The requesting host then sends the message, and stores the IP-to-MAC mapping for future packets. In order to minimize network traffic, ARP implementations update their cache of ARP-to-IP mappings whenever an ARP request or reply is received. If the MAC address reported in the packet for the given IP has changed, the new value will overwrite the old one in the cache. ARP replies are unicast packets directed at one machine, and cause only that machine to update its cache.

The particular kind of ARP attack examined in this lab is the use of ARP reply packets to perform cache poisoning. This attack makes possible many sorts of man-in-the-middle attacks. Consider an example depicted The attacker, Host C, sends an ARP reply to B stating that A’s IP maps to C’s MAC address, and another ARP reply to A stating that B’s IP maps to C’s MAC address. Since ARP is a stateless protocol, hosts A and B assume that they sent an ARP request at some point in the past and update their ARP caches with this new information.
Now, when A tries to send a packet to B it will go to C instead. Host C can use this unique position to forward the packets on to the correct host and monitor or modify them as they pass through . 
This man in the middle attack allows C to monitor or modify telnet sessions, read mail passing over Post Office Protocol (POP) or SMTP, intercept SSH negotiations, monitor and display Web usage, and commit many other malicious activities. The ARP cache poisoning attack can be used against all machines in the same broadcast domain as the attacker. Hence, it works over hubs, bridges, and switches, but not across routers.

An attacker can, in fact, poison the ARP cache of the router itself, but the router won't pass the ARP packets along to its other links. Switches with port security features that bind MAC addresses to individual ports do not prevent this attack since no MAC addresses are actually changed. The attack occurs at a higher network layer, the IP layer, which the switch does not monitor.

No comments:

Post a Comment