Attacking LAN hosts with ARP spoofing

Dawid Czagan
January 8, 2014 by
Dawid Czagan

1. Introduction

This article introduces the OSI model of internet communication, and describes ARP spoofing. It's used to attack hosts in a Local Area Network (LAN). Passive and active sniffing are described. Finally, the mitigation of ARP spoofing is briefly discussed.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

2. The OSI model

This model describes the structure of internet communication. The idea was to prepare a reference model in order to allow different manufacturers to create networking solutions that can cooperate with each other. The OSI model is comprised of seven layers:

Layer 7: Application

Layer 6: Presentation

Layer 5: Session

Layer 4: Transport

Layer 3: Network

Layer 2: Data link

Layer 1: Physical

I'll discuss how data goes from the sender to the receiver. From the sender's perspective, the data goes from layer 7 to layer 1. From the receiver's perspective, the data goes from layer 1 to layer 7.

I'll explain what happens when data goes from layer 7 to layer 1. At each stage (from layer 7 to layer 6, from layer 6 to layer 5, and so on) the data of the upper layer is includes into the data of the lower layer (encapsulation). On the receiver's side, the reverse process occurs and is called decapsulation. That's how the different OSI layers interact. In reality, it's more complicated – for example, the data of the application layer might be segmented at the transport layer (before sending to network layer), and fragmented at the network layer (before sending to data link layer.)

Finally, let's see the classification of network devices with reference to the layers of OSI model:

Layer 1 devices: repeater, hub

Layer 2 devices: bridge, switch

Layer 3 device: router

ARP spoofing is related to the ARP protocol (described in the next section of the article), which is used to bind IP and MAC addresses (from the network and data link layers of the OSI model; Ethernet is commonly used at data link layer.)

3. ARP protocol

Let's assume that two computers, COMP1 and COMP2, are in the same LAN and want to communicate. COMP1 knows the IP address of COMP2 (denoted by COMP2_IP in the article), but what is actually needed in order to send the message to COMP2 is the MAC address of COMP2 (denoted by COMP2_MAC). Here, the ARP protocol is used. COMP1 sends an ARP request to everyone in the LAN (broadcasting). That request can be understood as something like this: “Hi, COMP2_IP, would you tell me your MAC address (COMP2_MAC)?” What happens next is the ARP reply message with COMP2_MAC. Now, COMP1 can send the message to COMP2, because he knows COMP2_MAC's address. That's how it should work. However, there may be an attacker spoofing ARP's reply messages. Let's see how that works in this case.

4. ARP protocol – spoofing ARP reply

Let's continue the story from the previous section and denote the computer of the attacker with COMP_ATTACKER, the IP address of COMP_ATTACKER with COMP_ATTACKER_IP, and the MAC of COMP_ATTACKER by COMP_ATTACKER_MAC.

Now let's recall the description of the ARP protocol from the previous section of the article, and change one thing - when the ARP request is sent, the COMP_ATTACKER replies (ARP reply) with their own MAC address (COMP_ATTACKER_MAC). Then, COMP1 thinks that they're sending the message to COMP2, but they're actually sending it to COMP_ATTACKER, because they've received COMP_ATTACKER_MAC in the ARP reply. In addition, COMP_ATTACKER sends the ARP request to everyone in the LAN to learn the COMP2_MAC. At that point, COMP_ATTACKER knows the COMP2_MAC and can forward the message (received form COMP1) to COMP2. Before forwarding the message, COMP_ATTACKER can read and/or modify the message if it's not protected. That's how ARP spoofing works. As we can see, that attack can lead to serious problems.

5. Passive and active sniffing

Switches know the MAC addresses attached to their ports and send the messages only to the port, where the destination host is attached. That way, other hosts cannot see the messages or sniff the traffic. As we've already seen, ARP spoofing can be used to overcome that problem from the attacker's point of view. ARP spoofing is an active attack, because sending the spoofed ARP reply is involved.

Now let's go back to the old days and discuss hubs. Those devices work at Layer 1 of the OSI model. The message received by the hub is sent to all its ports. Normally, the host reads the messages that are sent to them. However, the host can be put in promiscuous mode to see all the messages. That's how passive sniffing works: the attacker is just sniffing the traffic.

6. Mitigation of ARP spoofing

Normally, the entries in the ARP table of the host are dynamic. These entries could be predefined (static) to solve the problem with ARP spoofing. However, this approach has an administrative overhead.

Another idea is delegating the problem to the upper layers of the OSI model and using cryptography to provide authentication (digital certificates), data confidentiality (symmetric encryption), and data integrity (HMAC). SSL/TLS can be used here (it works between application and transport layers of the OSI model.) That way, we can detect if something wrong has happened with the message, and prevent reading it.

7. Summary

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

The OSI model of internet communication was introduced. Then the ARP protocol and ARP spoofing were discussed. The difference between active and passive sniffing was presented. Finally, the mitigation of ARP spoofing was briefly analyzed.

Dawid Czagan
Dawid Czagan

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing.

Dawid shares his bug hunting experience in his workshop entitled "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". To find out about the latest in Dawid's work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).