Albert-Ludwigs-University of Freiburg

Department of Communication Systems

Internetworking Seminar

ARP Spoofing

By

Vamshidhar Chillamcharla
Contents:

1. Introduction

2. ARP Working

3. Definition of ARP Spoofing

4. Operating Systems Vulnerable to ARP Spoofing

5. Attacks

6. Tools and Utilities

7. ARP Spoofing Defenses and Detection.

8. Practical Implementation

9. Reference
Epitome:
The idea behind this presentation is to discuss ARP spoofing, which is
concerned with internet and Ethernet protocols. Here I would discuss its network structure,
operating systems that are vulnerable to it, attacks that occur, detecting the attacks, ways
of avoiding the attacks and finally, a practical implementation of one of the attacks.

Introduction:
Basics of Networking:
ARP Spoofing is only applicable to Ethernet networks. Basically, a system
connected to IP or Ethernet LAN has two addresses. The first address is MAC, this
is hardwired into the specific network interface card (NIC) that a user has bought. MAC
addresses are (at least supposed to be) globally unique and with this address the Ethernet
protocol sends the data back and forth. Ethernet builds data frames which consist of 1500
byte blocks. An Ethernet frame consists of Ethernet header, containing the MAC address
of the source and destination computer.

The Second address is the IP address. IP is a protocol used by applications,

independent of whatever technology operates with it. Every computer on a network must
have unique IP address for communication. The IP addresses are virtual and are assigned
by the software.

IP and Ethernet must work together. IP communicates by constructing packets

which are different from frame structure. Now these packets are delivered by the network
layer (Ethernet), which splits the packets into frames, adds an Ethernet header and sends
them to a network component. This then decides the port to which the frame should be
sent by comparing the destination address of the frame to an internal table which maps port
number to the MAC addresses.

As mentioned earlier an Ethernet frame is built from IP packet, but for the
construction of Ethernet frame the network needs the MAC address of the destination
computer. Here the Ethernet is just aware of the IP address of the destination machine.
Hence to find the MAC address of the destination computer from its IP address ARP
protocol is used.
Basics of ARP (Address Resolution Protocol):

Address Resolution Protocol (ARP) is a protocol for mapping an Internet

Protocol address (IP address) to a physical machine address (MAC) that is recognized in
the local network. For example, in IP Version 4, the most common level of IP in use today,
an address is 32 bits long. In an Ethernet local area network, however, addresses for
attached devices are 48 bits long. (The physical machine address is also known as a
Media Access Control or MAC address.) .In order to increase the efficiency of the network
and not tie up bandwidth doing ARP broadcasting, each computer keeps a table of IP
addresses and matching Ethernet addresses in memory. This is called ARP cache. Before
sending a broadcast, the sending computer will check to see if the information is in its ARP
cache. If it is then it will complete the Ethernet data packet without an ARP broadcast.
Each entry usually lasts 20 minutes (but depends on OS). RFC 1122 specifies that it should
be possible to configure the ARP cache timeout value on the host. To examine the cache
on a Windows, UNIX, or Linux computer type "arp -a". ARP provides the protocol rules for
making this correlation and providing address conversion in both directions.

How ARP Works:

When an incoming packet destined for a host machine on a particular local
area network arrives at a gateway, the gateway asks the ARP program to find a physical
host or MAC address that matches the IP address. The ARP program looks in the ARP
cache and, if it finds the address, provides it so that the packet can be converted to the
right packet length and format and sent to the machine. If no entry is found for the IP
address, ARP broadcasts a request packet in a special format to all the machines on the
LAN to see if one machine knows that it has that IP address associated with it. A machine
that recognizes the IP address as its own returns a reply so indicating. ARP updates the
ARP cache for future reference and then sends the packet to the MAC address that
replied. Here is an example of a simple ARP Communication. Jessica, the receptionist,
tells Word to print the latest company contact list. This is her first print job today. Her
computer (IP address 192.168.0.16) wants to send the print job to the office's HP LaserJet
printer (IP address 192.168.0.45). So Jessica's computer broadcasts an ARP Request to
the entire local network asking, "Who has the IP address, 192.168.0.45?" as seen in
Figure 1.
 All the devices on the network ignore this ARP Request, except for the HP
LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply:
Hey, my IP address is 192.168.0.45. Here is my MAC address: 00:90:7F:12:DE:7F as in
Diagram1.Now Jessica's computer knows the printer's MAC address. It sends the print job
to the correct device, and it also associates the printer's MAC address of
00:90:7F:12:DE:7F with the printer's IP address of 192.168.0.45 in its ARP table.

Figure 1. ARP Functionality

 Figure 2. ARP functionality

This is the case when the receiving host is on the same network. If the
receiving host is on another network, the sending computer will go through its route table
and determine the correct router (A router should be between two or more networks) to
send to, and it will substitute the ethernet address of the router in the ethernet message.
The encased IP address will still have the intended IP address. When the router gets the
message, it looks at the IP data to tell where to send the data next. If the recipient is on a
network the router is connected to, it will do the ARP resolution either using its ARP buffer
cache or broadcasting.

ARP Frame Format:

The ARP message consists of an ethernet header and ARP packet
The ethernet header contains:
• A 6 byte ethernet destination address.
• A 6 byte ethernet source address.
• A 2 byte frame type. The frame type is 0806 hexadecimal for ARP and 8035 for
RARP
The encapsulated ARP data packet contains the following:
• Type of the hardware address (2 bytes). 1=ethernet.
• Type of protocol address being mapped (2 bytes). 0800H (hexadecimal) = IP
address.
• Byte size of the hardware addresses (1 byte). 6
• Byte size of the protocol address (1 byte). 4
• Type of operation. 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP
reply.
• The sender's ethernet address (6 bytes)
• The sender's IP address (4 bytes)
• The recipient's ethernet address (6 bytes)
• The recipient's IP address (4 bytes)

When the ARP reply is sent, the recipient's ethernet address is left blank.

RARP:
Reverse address resolution protocol (RARP) is used for diskless computers to
determine their IP address using the network. The RARP message format is very similar to
the ARP format. When the booting computer sends the broadcast ARP request, it places
its own hardware address in both the sending and receiving fields in the encapsulated
ARP data packet. The RARP server will fill in the correct sending and receiving IP
addresses in its response to the message. This way the booting computer will know its IP
address when it gets the message from the RARP server.
Definition of ARP Spoofing:
ARP Spoofing is a kind of Spoofing in which a forged ARP reply is sent to the
original ARP request. By sending forged ARP replies, the router could be convinced to
send frames destined for a computer 1 to computer 2 and ultimately computer 2 redirects
the frames to computer 1.If the spoof is prompt the computer 1 will have no idea of this
redirection. The updation of target computer's (computer 1) cache with a forged entry is
called as Poisoning.

Operating Systems Vulnerable to ARP Spoofing:

An Operating system is said to be vulnerable to ARP Spoofing when the
system with the corresponding operating system gets spoofed by other system that is the
system which got spoofed would overwrite the existing entry or add the entry if one does
not exist with the forged reply. This is nothing but ARP Poisoning.

OS Vulnerable to ARP spoofing:

1. Windows NT
2. Windows XP
3. Windows 95/98/2000
4. Linux
5. Netgear
6. AIX 4.3
OS not Vulnerable to ARP Spoofing:
Sun Solaris Systems

ARP Attacks:
Sniffing
Switches determine which frames go to which ports by comparing the
destination MAC on a frame against a table. This table consists of a list of ports and the
attached MAC address. The table is built when the switch is powered on, by examining the
source MAC from the first frame transmitted on each port.
Network cards can enter a state called Promiscuous mode where they are
allowed to examine frames that are destined for MAC addresses other than their own. On
switched network this is not a concern because the switch routes frames based on the
table describes above. This prevents sniffing of other people's frames. However using
ARP spoofing there are several ways that sniffing can be performed on a switched
network.

Man in the Middle (MIM):

This attack is one of the methods of sniffing. This attack is one of the attacks in
which a third person involves between the communication path of the two computers.
There will not be any interruption between the traffic of both the computers because the
third person redirects the packets to the destined computer.
Consider an example. In the figure below the attacker, host C, sends an ARP
reply to B stating that A s IP maps to C s MAC address, and another ARP reply to A
stating that B s IP maps to C s MAC address (see Figure 3). Since ARP is a stateless
protocol, hosts A and B assume they sent an ARP request at some point in the past and
update their ARP caches with this new information.
Now, when A tries to send a packet to B it will go to C instead. Host C can use
this unique position to forward the packets on to the correct host and monitor or modify
them as they pass through C (Figure 4). MIM can also be performed between a computer
and the LAN's router by poisoning the router.

Figure 3. Setting up a man in the middle attack

 Figure 4. Setting up a man in the middle attack

MAC Flooding:
This is another method of sniffing. This MAC Flooding is an ARP Cache
Poisoning technique aimed at network switches. When certain switches are overloaded
they often drop into a "hub" mode. In "hub" mode, the switch is too busy to enforce its port
security features and just broadcasts all network traffic to every computer in your network.
By flooding a switch's ARP table with a ton of spoofed ARP replies, a hacker can overload
many vendor's switches and then packet sniff the network while the switch is in "hub"
mode.

Denial of Service:
A hacker can easily associate an operationally significant IP address to a false
MAC address. For instance, a hacker can send an ARP reply associating the network
router's IP address with a MAC address that doesn't exist. Then the computers believe
they know where the default gateway is, but in reality they're sending any packet whose
destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move,
the hacker has cut off the network from the Internet.

Hijacking:
To hijack a network connection of our target machine we have to be able to
direct the flow of network traffic from the target machine to our machine. The rest is
accomplished by redirecting the packets in the kernel level. This transfer of control can
result in any type OS session being transferred. For instance an attacker could take a
control of a telnet session after a target machine has logged into a remote computer as an
administrator.

Cloning:
MAC addresses were intended to be a globally-unique identifier for each
network interface produced. We have a provision of changing the MAC address using the
software available and also using hardware, which is a bit tedious. Linux users can even
change their MAC without spoofing software, using a single parameter to ifconfig
command, the interface configuration program for the OS. An attacker could DoS as a
target computer, and then assigns them self the IP and MAC of the target computer,
receiving all frames intended for the target computer.

ARP Tools and Utilities:

Following are the several tools to perform ARP spoofing which are available in
the internet.

Dsniff:
Dsniff is a collection of UNIX-executable tools designed to perform network
auditing, as well as network penetration. It's been tested under OpenBSD and
Solaris. Each of the tools included in the dsniff distribution has some unique function
but falls into a functionality group. In general, the tools dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy are used to passively monitor a vulnerable shared network
(such as a LAN where the sniffer sits behind any exterior firewall), looking for content of
interest to the attacker.

ARPoison:
It is a command-line tool for UNIX which creates spoofed ARP replies. Users
can specify the source and destination IP/MAC addresses.

Ettercap:
Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
It supports active and passive dissection of many protocols (even ciphered ones) and
includes many features for network and host analysis.
It can automate following procedure:
1.Characters injection in an established connection
2.Password collector for TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL
3.Paket filtering/dropping
4.Connection killing

Parasite:
Parasite allows us to sniff on switched networks by performing ARP man-in-
the-middle spoofing. Selective targets, DOS and various other features are present.
Parasite does not do a proper clean up when stopped. This results in DoS of all poisoned
computers because their ARP caches are pointing to a MAC address that is no longer
forwarding their frames. Poisoned ARP entries must expire before normal operation can
resume.

ARP Spoofing Defenses and Detection:

The best defense against ARP spoofing is to enable MAC binding on the switch.
This is a feature usually found on high quality switches which does not allow the MAC
address associated with a port to change once it is set. Legitimate MAC changes could be
performed by the network admin on a per-case basis.
Another defense is the use of static routes. ARP caches can have static (non-
changing) entries, so spoofed ARP replies would be ignored. This approach is not practical
on anything but small home LANs, consequently where ARP spoofing is not a large
concern. Also of note is the behavior of static routes under Windows. Tests found that
Windows would still accept spoofed ARP replies and use dynamic routes instead of static
routes, nullifying any effect of using static routes under Windows.
Apart from these two methods, the only other defense available is Detection..
Arpwatch is one of the ways of detection. Arpwatch is a tool to detect ARP attacks .This
tool monitors ethernet activity and keeps a database of Ethernet/IP address pairings. It
also reports certain changes via email. Arpwatch uses libpcap, a system-independent
interface for user-level packet captures a method of detecting ARP attacks. The 'arpwatch'
keeps informed when a new machine gets an address from the network. It emails the IP
address that it is currently leasing, as well as the MAC address. It will also inform if the
MAC address for an IP changes. It would also inform if someone is messing with the
network setting, and changing their IP address to one of a gateway, or server.
 MAC cloning can be detected by using RARP (Reverse ARP). RARP requests
the IP address of a known MAC address. Sending a RARP request for all MAC addresses
on a network could determine if any computer is performing cloning, if multiple replies are
received for a single MAC address.
Many methods exist for detecting machines in promiscuous mode
. It is important to
remember that Operating systems have their own TCP/IP stacks, and Ethernet cards have
their own drivers, each with their own quirks. Even different versions of the same operating
system have variations in behavior. Solaris is unique in its treatment of ARP packets.
Solaris only accepts ARP updates after a timeout period. To poison the cache of a Solaris
box, an attacker would have to DoS the second target machine in order to avoid a race
condition after the timeout period. This DoS may be detected if the network has an
Intrusion Detection System in place .The network can also be protected from spoofing and
sniffing by setting firewalls and by encrypting the data over the network, but these two
methods are not employed.
References:

• ARP Spoofing:
http://node99.org/projects/arpspoof/arpspoof.pdf

• Attacks:
http://www.cigitallabs.com/resources/papers/download/arppoison.pdf
http://www.hut.fi/~autikkan/kerberos/docs/phase1/pdf/LATEST_hijacking_attack.pdf

• Tools:
http://whatis.techtarget.com/definition/0,,sid9_gci213780,00.html

• ARP Basics:
http://ece.gmu.edu/~robohn/tcom509-l2-s03.pdf
http://www.comptechdoc.org/independent/networking/guide/netarp.html

• Computer Networking by, James F. Kurose and Keith W. Ross