What is ARP Poisoning
ARP is the acronym for Address Resolution Protocol. It is used to convert an IP address to physical addresses [MAC address] on a switch. The host sends an ARP broadcast on the network, and the recipient computer responds with its physical address [MAC Address]. The resolved IP/MAC address is then used to communicate. ARP poisoning is sending fake MAC addresses to the switch so that it can associate the fake MAC addresses with the IP address of a genuine computer on a network and hijack the traffic.
ARP Poisoning Countermeasures
Static ARP entries: these can be defined in the local ARP cache and the switch configured to ignore all auto ARP reply packets. The disadvantage of this method is, it’s difficult to maintain on large networks. IP/MAC address mapping has to be distributed to all the computers on the network.
ARP poisoning detection software: these systems can be used to cross-check the IP/MAC address resolution and certify them if they are authenticated. Uncertified IP/MAC address resolutions can then be blocked.
Operating System Security: this measure is dependent on the operating system been used. The following are the basic techniques used by various operating systems.
- Linux-based: these work by ignoring unsolicited ARP reply packets.
- Microsoft Windows: the ARP cache behavior can be configured via the registry. The following list includes some of the software that can be used to protect networks against sniffing;
- AntiARP– provides protection against both passive and active sniffing
- Agnitum Outpost Firewall–provides protection against passive sniffing
- XArp– provides protection against both passive and active sniffing
- Mac OS: ArpGuard can be used to provide protection. It protects against both active and passive sniffing.
Hacking Activity: Configure ARP entries in Linux
We are using Centos 7 for this exercise, but the commands should be able to work on other versions of linux as well.
Open the command prompt and enter the following command
- apr calls the ARP to configure the program
- -a is the parameter to display to contents of the ARP cache
[root@localhost~]# arp -a
? (10.0.29.51) at ec:eb:b8:97:c6:5c [ether] on eno1
? (10.0.29.14) at 00:2c:c8:a1:08:40 [ether] on eno1
? (10.0.29.41) at 9c:b6:54:82:3b:8c [ether] on eno1
? (10.0.29.52) at ec:eb:b8:8b:89:a0 [ether] on eno1
? (10.0.29.57) at ec:eb:b8:97:83:20 [ether] on eno1
? (10.0.29.42) at e0:07:1b:ff:8a:ac [ether] on eno1
? (10.0.29.58) at ec:eb:b8:8b:a9:78 [ether] on eno1
? (10.0.29.47) at 08:f1:ea:96:4b:90 [ether] on eno1
? (10.0.29.100) at 02:04:96:9c:f0:eb [ether] on eno1
? (10.0.29.26) at 02:04:96:b4:32:02 [ether] on eno1
? (10.0.29.53) at ec:eb:b8:97:83:84 [ether] on eno1
? (10.0.29.5) at 00:1c:7f:6d:74:48 [ether] on eno1
? (10.0.29.54) at ec:eb:b8:8b:d9:34 [ether] on eno1
? (10.0.29.43) at ec:eb:b8:97:c6:74 [ether] on eno1
? (10.0.29.44) at 14:02:ec:64:50:08 [ether] on eno1
? (10.0.29.11) at 02:04:96:a0:9d:46 [ether] on eno1
gateway (10.0.29.1) at 02:04:96:9c:db:1e [ether] on eno1
? (10.0.29.12) at 02:04:96:98:97:6d [ether] on eno1
? (10.0.29.85) at 18:c2:41:00:d1:bc [ether] on eno1
? (10.0.29.50) at 98:f2:b3:3f:a1:a8 [ether] on eno1
? (10.0.29.40) at e0:07:1b:ff:e9:df [ether] on eno1
? (10.0.29.45) at e0:07:1b:ff:46:d8 [ether] on eno1
? (10.0.29.56) at 98:f2:b3:2a:93:e8 [ether] on eno1
? (10.0.29.8) at 18:c2:41:00:d1:bc [ether] on eno1
Deleting an ARP cache entry
Use the following command to remove an entry
arp –d 192.168.1.38