ARP Poisoning attacks, also known as ARP Spoofing, are one
of the most famous and dangerous man-in-the-middle attacks that we can find on
wired and wireless networks. If a cybercriminal conducts this attack correctly,
he can intercept all communications between the victim and the Internet
connection, in addition, using slightly more advanced methods, they can even
change traffic on the fly and even "increase" security. HTTPS
protocol to convert it to HTTP and compromise our security. Today at RedesZone
we are going to explain what ARP Poisoning does, how it is done with the
popular Kali Linux distribution, and how we can protect ourselves from this
attack on the network. bolts.answerhop
What is ARP Protocol?
ARP (Address Resolution Protocol) is one of the main
protocols in IPv4 networks, without this protocol we would not be able to
obtain an IP address via DHCP or communicate with other computers, even if we
put a private IP address on our computer. ARP allows network connections to
properly reach their destination by converting IP addresses (logical addresses)
to MAC addresses (physical addresses) and vice versa. The ARP protocol is
responsible for creating a table with an IP-MAC pair and so that different
computers on the local network can communicate with each other without
problems, in addition, it also ensures that computers can communicate with the
router to access the Internet. have a LAN IP and MAC address, tc-bolts.dyifo
ARP only exists in IPv4 networks; in IPv6 networks, ICMPv6
does the same job, which includes more features than IPv4. We ourselves can see
the ARP board of our equipment to see all the equipment on the local network
with which we are currently communicating if we open the console and enter the
following command.
In the following image, you canister see the private IP
addresses (internet addresses) as well as the MAC addresses of all devices
(physical address). We can see all the ARP tables of the various NICs we have,
a very important detail is that we can remove or put IP-MAC pairs from this ARP
table manually techqueer
All computers store this ARP table as a cache, so it will be
updated temporarily or as new computers appear with which we want to interact, that
is, it is a dynamic table that changes depending on what kind of communication
we are going to do. Thus, if a given computer does not know the MAC address of
an IP address, it must send an ARP request packet asking other computers for
the corresponding MAC address.
One of the most important accesses in the ARP table is the
entry displayed by the router, usually the first IP address on the subnet. ARP
poisoning attacks specifically focus on this entry and we will now explain why.
ARP was not designed with security in mind, so it never checks if the answer to
an ARP request really comes from a legitimate host, anyone can easily and
quickly impersonate another host by performing an ARP poisoning attack. construction-bolts.tockhop
What is ARP Poisoning Attack?
An ARP Poisoning attack consists of poisoning the victim's
ARP table, making them believe the router is an attacker, in order for the
victim to redirect all of its traffic to that attacker in order to listen for
every connection it makes. Thus, a victim device can unknowingly send all of
its network traffic to that attacker and execute two different types of
attacks:
DoS attack: if the attacker does not redirect connections to
the router to access the Internet, we will denial of service to the victim,
that is, we will leave him without an Internet connection.
Man-in-the-Middle Attack: If an attacker redirects
connections to the router to access the Internet, we will carry out a MitM
attack, receiving all of its network traffic for further investigation, in
addition, the information sent or received may also be altered. ... In fact,
one of the maximum dangerous attacks on the fly, the victim is SSL Stripping,
with which an attacker can pick up HTTPS traffic and convert it to HTTP in
order to spy on all communications. The invader will be able to continue
routing all messages and get all the information, which is the most common
thing, in fact, he will be able to steal the victim's cookies and impersonate
him without having to steal user accounts and passwords.
To perform an ARP poisoning attack, certain requirements
must be met:
The attacker must be on the same system as the target, on
the same wired network, or on the same Wi-Fi network.
You have to scan the entire local network looking for the victim's IP address and then launch the attack.
You have to use various tools to create a spoofed ARP packet
and send it to the victim. Two well-known tools for accomplishing this task are
arpspoof and BetterCap, for the latter you have a complete guide at RedZone.
As soon as bogus ARP packets are sent to the victim, it will
think we are a router. But for the communication to be bi-directional, we also
need to make the router believe that we are a victim, so we will have to launch
two ARP Poisoning attacks, one on the victim and the other on the router. bacobolts.yictic
