This attack is not at all new but the effectiveness of this one is mind-blowing. ARP is the de-facto protocol to identify nodes on a network. This attack prevails due to the gullible nature of this protocol. This post explains HOW ARP poisoning works and a 20 line (almost, can be more) Perl code compliments the explanation.
DISCLAIMER: THE INTENTION OF THIS POST IS NOT TO PROMOTE HOW TO CRASH A NETWORK. ANY HARM CAUSED BY MISUSE OF THE INFORMATION (THE CODE) IS NOT THE RESPONSIBILITY OF THE AUTHOR. SOME VALUES ARE HARD-CODED. THIS IS TO PREVENT MISUSE UP TO CERTAIN LEVEL. THE CODE IS MEANT FOR EDUCATIONAL PURPOSES ONLY.
So, lets start with how ARP actually works. ARP stands for (most of you who are reading this would know, but sill, for obfuscation) Address Resolution Protocol. In a ephemeral way, its a question/answer protocol. It asks a question like “Hey there everyone, can you tell me who am I?” and it answers like “Howdy everybody, I’m <some info, we’ll come to this part later>.”. I’ll take my hostel’s LAN network as an example (if required) to paint the backdrop.
The question is asked when the computer boots up or when there is a change in the NIC (Network Interface Card). If/whenever a computer is connected to the network (via a wired Ethernet cable or unwired wi-fi Ethernet or any damn thing you can think of), the ARP protocol (as it is default part of the TCP/IP stack, so its inbuilt into every OS) broadcasts a question asking about itself. The question is “usually” replied to by the DHCP server for the LAN network. The reply is actually an identity of the computer who asked the question.
Simplifying the convoluted thing said above, the DHCP server accepts the ARP “question” packet and replies to the sender with a unique IP address FOR the sender. I hope this is clear, if its not, drop me a line, I’ll drop you a line back explaining this in a more subtle way.
So this was when the “question” is asked. Now, sometimes it happens that you may change the NIC or assign a static IP yourself or anything else, the ARP protocol automatically generates an “answer” packet which is called a Gratuitous ARP packet. This packet is broad-casted with an intention of updating others so that they know you made some changes. All is well, everyone knows who is who and they all update accordingly if there is a change.
We have an ARP table in our systems. Check it out using:
$ /sbin/arp -a <on a *nix machine>
C:\>arp -a <on a windows machine>
what you’ll see (you’ll see something only if you’re using a form of Ethernet) is a two column (probably, I don’t remember exactly) mapping between the IP addresses and MAC addresses. That is, if the table has an entry like <some IP> <some MAC> this means that <some IP> has the MAC address as <some MAC>.
This particular table is updated whenever a Gratuitous ARP packet is received.
The mechanism is really simple, but, there is no mechanism to judge the authenticity of the Gratuitous ARP packet. The ones who get updated do not bother to check whether the update is valid or not. And herein lies the problem that gives birth to this exploit. One can easily create a packet mapping an IP to a false MAC address and if one can map the IP of network gateway to some false MAC address BOOM! the network is blown into pieces (the example Perl code exactly does this).
OK, I’ll slow down and tell you what actually happened. Suppose a sender A broadcasts a Gratuitous ARP packet saying “hello everyone my IP is ww.xx.yy.zz and my MAC is aa.bb.cc.dd.ee.ff” (assume that values in this broadcast are valid) then every node on the network update their ARP table. All fine, no issues. The problem arises when A broadcasts a packet saying “hello everyone, my IP is ww.xx.yy.zz and my MAC is qq.ww.ee.rr.tt.yy”. The nodes on the network still update their ARP tables and unknowingly map the bad MAC to correct IP (or vice-versa). This forced mapping of the wrong values is called ARP poisoning.
ARP poisoning can also be used to perform Man in The Middle attacks (MiTM in short). Suppose two friends A (female) and B (male) are transferring data, a jealous friend C (boyfriend of A, who is enemy of B and hates it when A talks to B) is interested to see what A and B are talking about. So C being a hacker (cracker) sends a Gratuitous ARP packet to A mapping the IP of B to his own MAC. So when A sends next message, it doesn’t go to B but goes to C as A will see the new changes (and not check the changes) in the ARP table. Now, since C receives all the messages, it can easily modify the messages and send them to B or simply discard them (and in the mean time creating a friction between A and B).
The code at the following website (its a paste-zone, where we coders discussing on IRC paste stuffs and ask doubts regarding some programs) just crashes the network. For MiTM, drop me a line and I’ll explain how to do that. Note: you need the Net::ARP Perl module to run this code.
Any doubts or anything else will be clarified here, if still not clear, mail me at firstname.lastname@example.org
May the force be with you