MITM 3: ARP spoofing

Posted on January 20, 2012

1


The first step in a Man In The Middle attack is to modify the ARP table of the victim’s computer and the default gateway router in this way:

ARP table (victim) ARP table (router)
IP MAC address IP MAC address
192.168.0.1 (router IP) Attacker MAC address 192.168.0.2 (victim IP) Attacker MAC address

Before spoofing, you need to understand how does ARP protocol works.

ARP protocol

Address Resolution Protocol (ARP) is a telecommunications protocol used for the resolution of network layer addresses into link layer addresses. Whenever a computer access a network or changes its IP address, it broadcasts an ARP announcement (only to the host in the same network) with its MAC address together with its associated IP address. At the reception of the ARP announcement, the other devices update them ARP table. The ARP table is where an IP address is bound to its MAC address. The ARP table can be displayed in the terminal (cmd) via the command: arp -a

Here is an example: I connect my mobile phone on the network. The router assign it the IP address 192.168.0.13. I check my ARP table on my laptop, and it has no information about the device 192.168.0.13. If I want to ping my mobile phone, I first have to know the MAC address of the device with the IP 192.168.0.13.

My laptop sends an ARP frame asking “who has 192.168.0.13?”. My mobile phone answer with an ARP frame giving its MAC address associated with the IP address 192.168.0.13.

An ARP frame is structured like this:

Internet Protocol (IPv4) over Ethernet ARP packet
bit offset 0 – 7 8 – 15
0 Hardware type (HTYPE)
16 Protocol type (PTYPE)
32 Hardware address length (HLEN) Protocol address length (PLEN)
48 Operation (OPER)
64 Sender hardware address (SHA) (first 16 bits)
80 (next 16 bits)
96 (last 16 bits)
112 Sender protocol address (SPA) (first 16 bits)
128 (last 16 bits)
144 Target hardware address (THA) (first 16 bits)
160 (next 16 bits)
176 (last 16 bits)
192 Target protocol address (TPA) (first 16 bits)
208 (last 16 bits)

Hereafter is ARP frame, captured with Wireshark, from my mobile phone that gives its MAC address. Below is the description of its content. The 14 first bytes (6 bytes + 6 bytes + 2 bytes) are actually the header of the Ethernet frame with the destination MAC address, the source MAC address and the Ethertype.

  • 00 25 00 __ __ __ is the destination MAC address (my laptop MAC address).
  • 90 21 55 __ __ __ is the source MAC address (my mobile phone MAC address).
  • 80 06 is the Ethertype for the protocol ARP.
  • 00 01 is the hardware type for the protocol Ethernet.
  • 08 00 is protocol type for the IPv4.
  • 06 is the length (in bytes) of the hardware address (a MAC address is 6 bytes).
  • 04 is the length (in bytes) of address used in the upper layer protocol (an IPv4 address is 4 bytes).
  • 00 02 specifies that the ARP frame is a reply (1 is for requests, 2 for replies).
  • 90 21 55 __ __ is the MAC address of the sender. This is the address the recipient will keep in its ARP table together with he IP address of the sender (see below).
  • c0 a8 00 0d is the hexa value if the IP address of the sender (0xc0 = 192, 0xa8 = 168, 0x00 = 0 and 0x0d = 13). This is the IP address related to the MAC address kept in the ARP table of the recipient.
  • 00 25 00 __ __ is the MAC address of the recipient (my laptop).
  • c0 a8 00 07 is the hexa value of the IP address of the recipient (0xc0 = 192, 0xa8 = 168, 0x00 = 0 and 0x07 = 7).

When the recipient receive this ARP reply frame, it checks if the Target Protocol Address (TPA) is already in its ARP table. If it is, the MAC address bound is updated with the Target Hardware Address (THA). If it isn’t, a new entry is added in the ARP table with the TPA and its THA.

An ARP spoofing attack consists of sending ARP reply packets to both targets (i.e. the victim’s computer and the default gateway) in order to update them ARP table with the wrong MAC address (attacker’s one). Once the ARP tables deceived, the attacker need to keep sending periodically ARP frames, otherwise targets will send legitimate ARP frames to give the proper MAC address assigned the them IP address. Here is ARP packet the attacker has to send:

ARP packet for updating the victim’s table ARP packet for updating the router’s table
  • Destination MAC address: Victim MAC address.
  • Source MAC address: Attacker MAC address.
  • Ethertype: 0x80 0x06 (ARP).
  • Hardware type: 0x00 0x01 (Ethernet).
  • Protocol type: 0x08 0x00 (IPv4).
  • HLEN: 0x06.
  • PLEN: 0x04.
  • Operation: 0x00 0x02 (reply).
  • SHA: Attacker MAC address.
  • SPA: Router IP address.
  • THA: Victim MAC address.
  • TPA: Victim IP address.
  • Destination MAC address: Router MAC address.
  • Source MAC address: Attacker MAC address.
  • Ethertype: 0x80 0x06 (ARP).
  • Hardware type: 0x00 0x01 (Ethernet).
  • Protocol type: 0x08 0x00 (IPv4).
  • HLEN: 0x06.
  • PLEN: 0x04.
  • Operation: 0x00 0x02 (reply).
  • SHA: Attacker MAC address.
  • SPA: Victim IP address.
  • THA: Router MAC address.
  • TPA: Router IP address.

Now you know how ARP protocol works and what contains an ARP frame, let see how to perform an ARP spoofing. There are two ways to do it: either you use an automated tools for ARP spoofing, either you craft your own ARP packet and perform the ARP spoofing on your own.

Advertisements
Posted in: Tutorials