ARP spoofing (from the English. To spoof - dt. Fooled , fooled ) or ARP Poisoning Request (Engl about. Request falsification ) means sending fake ARP - packages . It is used to change the ARP tables in a network so that the data traffic between two (or more) systems in a computer network can then be intercepted or manipulated. It is a way of carrying out a man-in-the-middle attack in the local network.
Such an attack can also target IP telephony in order to eavesdrop on telephone calls.
Despite the popularity and the age of the attack, current operating systems do not offer any protection against ARP spoofing . This usually has to be retrofitted.
In order to intercept the data traffic between host A and host B, the attacker sends host A a manipulated ARP message to assign a certain IP address . This message contains its own MAC address instead of that of host B, so that in future host A will send the packets that are actually intended for host B to the attacker. The same thing happens with host B, so that it sends packets to the attacker unintentionally instead of directly to A. The attacker must now forward the packets received from A and B to the actual recipient so that an interceptable connection can be established. If this happens, the attacker works unnoticed as a proxy . One speaks of a man-in-the-middle attack . The attacker can of course also discard the network traffic in order to make communication between certain hosts impossible or to change the data traffic.
While mere eavesdropping on network traffic with the help of a sniffer only works in unswitched networks, this attack is also successful in switched networks. Software that implements this proxy function is available free of charge on the Internet for all common operating systems and is relatively easy to use (see Ettercap , Wireshark ).
This means that an attacker has almost a free hand to read and manipulate unprotected connections such as those used when sending e-mails or viewing websites . Encrypted and authenticated connections tend to be secure; they often use secure cryptographic algorithms and digital certificates to authenticate the remote station.
If an attacker locks into an HTTPS connection , for example, in order to manipulate home banking , the user recognizes this by a warning message from the browser about an invalid certificate. In practical scenarios, however, an attacker can prevent users from establishing TLS connections and can replace the requested HTTPS connections with those via HTTP. This makes it possible to intercept data that would otherwise be sent in encrypted form.
SSH connections are classified as secure (SSH version 1 not) if a changed fingerprint leads to the connection being aborted. After displaying the fingerprints, the user is often asked to decide whether he would like to continue establishing the connection.
Detect ARP spoofing
Detecting or preventing ARP spoofing is not easy. There are several possibilities for this. One of them is to leave out the ARP entirely and to work with static tables for converting IP addresses to hardware addresses. This option is not very efficient because the ARP tables have to be constantly updated. It is better to start with the basic problem: Every ARP response, whether requested or not, whether useful or not, is accepted by almost all operating systems. It can help here to leave the processing of ARP responses to programs with greater intelligence. These monitor who sends the answers and when, and what information the answers contain. Obviously forged ARP packets can be recognized and discarded. A corresponding warning can be issued to the system administrator by connecting to an intrusion detection system .
ARP spoofing can usually be seen well if you look at the ARP tables. In the following example, the computer with the MAC address c5: cb: df: 56: b5: f2 performs ARP spoofing in which it tells all hosts in the network that it is everyone else: It gives its MAC address for each IP (so that the network traffic reaches it to all hosts). However, it forwards the traffic transparently, so that the attack is actually imperceptible to all other hosts (although all traffic can of course be discarded and thus a complete blockage of all traffic would result). The ARP table of one of the victim computers in the network is shown. It is not clear who the attacker is; for this, the administrator would have to search for all MAC addresses. However, this could be prevented by MAC spoofing .
Address HWtype HWaddress Flags Mask Iface 192.168.1.6 ether c5:cb:df:56:b5:f2 C eth0 192.168.1.8 ether c5:cb:df:56:b5:f2 C eth0 Der Angreifer! 192.168.1.1 ether c5:cb:df:56:b5:f2 C eth0 192.168.1.9 ether c5:cb:df:56:b5:f2 C eth0
In the following example, the attacker is more frugal: he only intercepts traffic to and from the Internet (192.168.1.1 is the gateway).
Address HWtype HWaddress Flags Mask Iface 192.168.1.6 ether 00:15:af:43:90:de C eth0 192.168.1.8 ether c5:cb:df:56:b5:f2 C eth0 Der Angreifer! 192.168.1.1 ether c5:cb:df:56:b5:f2 C eth0 Eigentlich Router, wird aber durch gefälschte MAC-Adresse zum Angreifer geleitet 192.168.1.9 ether a8:7b:39:dc:78:a3 C eth0
192.168.1.1 is the gateway of the network; the attacker (.8) also reads the traffic on the Internet.
On the victim host of the first example, a traceroute to a neighboring computer would look like this:
traceroute to 192.168.1.9 (192.168.1.9), 30 hops max, 60 byte packets 1 192.168.1.8 (192.168.1.8) 2.629 ms 2.615 ms 2.604 ms Der Angreifer, der alle Pakete weiterleitet! 2 192.168.1.9 (192.168.1.9) 77.776 ms 78.261 ms 79.246 ms Der Zielrechner
Without ARP spoofing, the output should look like this:
traceroute to 192.168.1.9 (192.168.1.9), 30 hops max, 60 byte packets 1 192.168.1.9 (192.168.1.9) 134.356 ms 134.824 ms 135.314 ms
At the beginning of the attack, the attacker's packet traffic looks like this (recorded with tcpdump ):
13:17:27.376957 ARP, Reply 192.168.1.9 is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28 13:17:27.387128 ARP, Reply 192.168.1.8 is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28 13:17:27.387432 ARP, Reply 192.168.1.7 is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28 13:17:27.388654 ARP, Reply 192.168.1.6 is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28 13:17:27.388995 ARP, Reply 192.168.1.5 is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28
The traceroute method is of course useless if the attacker does not forward the traffic but discards it and all network traffic is prevented. The method of looking up the ARP table is usually more helpful, as it shouldn't actually happen that several IP addresses share one MAC address.
In the area of Linux and BSD-based high availability clusters, the targeted manipulation of ARP packets is used so that no data packets are lost if the primary server fails and is immediately redirected to the new “contact person” in the cluster. The secondary server must then adopt the cluster's common IP address.
- Manipulation of ARP tables on the BSI website
- arprelay - Implementation of the ARP spoofing attack by Felix von Leitner
- Cain & Abel - ARP spoofing on Windows
- Ettercap - sniffer for switched LANs
- ArpWatch - Monitoring the IP-MAC mapping for Unix
- XArp - Intelligent monitoring of ARP traffic using active and passive methods. GUI-based and available for Windows and Linux. Protection version on Linux.
- A specialist work, u. a. on the structure of the ARP protocol and how ARP spoofing works. (PDF; 1.64 MB)
- Simsang - ARP spoofing tool
- Minary - ARP spoofing tool