Poisoning the cache

ARP spoofing, also known as ARP cache poisoning, is used in a man-in-the-middle attack. In order to understand why this is an effective attack, let's step through the normal use of ARP on a LAN.

On a LAN, hosts are identified by their MAC or physical addresses. In order to communicate with the correct host, each device keeps track of all LAN hosts' MAC addresses in an ARP or MAC address table, also known as an ARP cache table.

Entries in the ARP or MAC address table will time out after a while. Under normal circumstances, when the device needs to communicate with another device on the network, it needs the MAC address. The device will first check the ARP cache and, if there is no entry in the table, the device will send an ARP request broadcast out to all hosts on the network. 

The ARP request asks the question, who has (the requested) IP address? Tell me (the requesting) IP address. The device will then wait for an ARP reply, as shown in the following screenshot:

ARP broadcast on a network

The ARP reply is a response that holds information on the host's IP address and the requested MAC address. Once received, the ARP cache is updated to reflect the MAC address.

In an ARP spoofing attack, an attacker will do the following:

  • Send an unsolicited, spoofed ARP reply message that contains a spoofed MAC address for the attacker's machine to all hosts on the LAN.
  • After the ARP reply is received, all devices on the LAN will update their ARP or MAC address tables with the incorrect MAC address. This effectively poisons the cache on the end devices. 
  • Once the ARP tables are poisoned, this will allow an intruder to impersonate another host to gain access to sensitive information.

In the following graphic, ARP spoof attack, a bogus reply was sent by the attacker, which poisoned the cache in the devices. All hosts on the network now think that 10.40.10.103 is at 46:89:FF:4C:57, instead of 00:80:68:B4:87, and will go to the attacker with the spoofed MAC address:.

ARP spoof attack

Once the attacker begins to receive the traffic destined to another host, they will use active sniffing to gather the misdirected traffic in an attempt to gain sensitive information. 

We now see the many individuals who can benefit from using packet analysis. The next section covers where packet analysis is most effective.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.42.196