ARP Poisoning

If the network is using a switch, the traffic going through the switch will only go to the assigned port.  This is bad for the attacker simply because they would not be able to see network traffic that is not sent specifically to them.  That’s where ARP, or Address Resolution Protocol comes in.  ARP poisoning, Also known as ARP spoofing, is a process where the attacker sends out a ton of ARP replies telling the target that it happens to be the destination IP address.  Since ARP replies are usually accepted on a regular basis, it’s fairly easy to convince a target machine to send all traffic to you as the attacker.

ARP poisoning and IP forwarding work hand in hand.  As described above, ARP poisoning will ensure that all traffic from a target goes to the attacking machine.  In order to not give yourself away, you will also need to ensure that the target feels as if they are still getting to their webpage or specific server.  This is done through IP forwarding.  When the traffic is received on the attacker machine, it then sends the same packets to whichever IP address it is told to forward.  In most cases, you will be forwarding all of the traffic to the gateway or router.

NOTE:  It’s never a good idea to ARP poison an entire network.  Sending all traffic through your one laptop will slow down traffic to a point where it’s noticeable.  Instead, decide which machine will be your target and concentrate on that one.

First, the attacker should check out the ARP cache on their own machine.  To do this, use the command:
$ arp
This will reveal the IP address and the HWaddress (MAC) currently aligned on the system.  As time goes on, if other ARP replies are gathered, the list will grow.  Take note of anything interesting like a gateway or specific server.  Next, IP forwarding will be set up on the attacker machine so that any traffic will continue on to its destination.
$ echo 1 > /proc/sys/net/ipv4/ip_forward
Arpspoof is next.  This will let us poison the target machine and make it thing that we are their destination.  To do this, we are going to tell the program which adapter to sue, who the target is, and who we want to be:
$ arpspoof -i eth0 -t <target_IP_address> <who_we_want_to_be>
We also need to pose as the target machine, and not just the target server.  Since we’re in the middle, we actually have two targets to pose as.  The second instance of ARPspoof will be for the actual destination server:
$ arpspoof -i eth0 -t <server_IP_address> <target_IP_address>
Now, we can check the ARP cache again to see if your attack took hold:
$ arp -a
This should reveal your MAC address being used with the server’s IP address.  As such, when our target tries to log onto the server, or request data from it, we will see all of the traffic.  In addition, we’ll be forwarding all of the traffic to the server, and then back to the target, which means that no one knows what is going on.



Scroll to top