Learn ARP Poisoning with Examples

What is IP and MAC Addresses
IP Address is that the acronym for Internet Protocol address. an online protocol address is employed to uniquely identify a computer or device like printers, storage disks on a network. There are currently two versions of IP addresses. IPv4 uses 32-bit numbers. thanks to the huge growth of the web, IPv6 has been developed, and it uses 128-bit numbers.

IPv4 addresses are formatted in four categories separated by dots. The minimum number is 0, and therefore the maximum number is 255. An example of an IPv4 address seems like this;

127.0.0.1

IPv6 addresses are formatted in categories of six numbers separated by full colons. The classified numbers are written as 4 hexadecimal digits. An example of an IPv6 address seems like this;

2001:0db8:85a3:0000:0000:8a2e:0370:7334

In order to simplify the characterization of the IP addresses in text format, leading zeros are omitted, and therefore the group of zeros is completed omitted. The above address during a simplified format is displayed as;

2001:db8:85a3:::8a2e:370:7334

MAC Address is the acronym for the media access control address. MAC addresses are wont to uniquely identify network interfaces for communication at the physical layer of the network. MAC addresses are normally embedded into the network card.

A MAC address is sort of a serial number of a phone while the IP address is just like the telephone number.




Exercise
We will assume you’re using windows for this exercise. Open the prompt.

Enter the command

ipconfig /all

You will get detailed information about all the network connections available on your computer. The results shown below are for a broadband modem to point out the MAC address and IPv4 format and wireless network to point out IPv6 format.

What is ARP Poisoning?

ARP is the acronym for Address Resolution Protocol. it’s wont to convert an IP address to physical addresses [MAC address] on a switch. The host sends an ARP broadcast on the network, and therefore the recipient computer responds with its physical address [MAC Address]. The resolved IP/MAC address is then wont to communicate. ARP poisoning is sending fake MAC addresses to the switch in order that it can associate the fake MAC addresses with the IP address of a real computer on a network and hijack the traffic.




ARP Poisoning Countermeasures:

Static ARP entries: these are often defined within the local ARP cache and therefore the switch configured to ignore all auto ARP reply packets. The disadvantage of this method is, it’s difficult to take care of on large networks. IP/MAC address mapping has got to be distributed to all or any of the computers on the network.

ARP poisoning detection software: these systems are often wont to cross-check the IP/MAC address resolution and certify them if they’re authenticated. Uncertified IP/MAC address resolutions can then be blocked.

Operating System Security: this measure depends on the OS been used. the subsequent are the essential techniques employed by various operating systems.

*Linux based: these work by disregarding unsolicited ARP reply packets.
*Microsoft Windows: the ARP cache behavior is often configured via the registry. the subsequent list includes a number of the software which will be wont to protect networks against sniffing;
*AntiARP– provides safety against both passive and active sniffing
*Agnitum Outpost Firewall–provides safety against passive sniffing
*XArp– provides safety against both passive and active sniffing
*Mac OS: ArpGuard is often wont to provide protection. It protects against both active and passive sniffing.

Hacking Activity: Configure ARP entries in Windows:

We are using Windows 7 for this exercise, but the commands should be ready to work on other versions of windows also.

Open the prompt and enter the subsequent command

arp –a

HERE,

* aprcalls the ARP configure program situated in Windows/System32 directory
* -a is that the parameter to show the contents of the ARP cache
You will get results almost like the subsequent

Remainder: Dynamic entries are added and deleted automatically when using TCP/IP sessions with remote computers.

Static entries are added manually and are deleted when the pc is restarted, and therefore the network interface card restarted or other activities that affect it.

Adding static entries:
Open the prompt then use the ipconfig /all command to urge the IP and MAC address

The MAC address is represented using the Physical Address and therefore the IP address is IPv4Address

Enter the subsequent command

arp –s 192.168.1.38 60-36-DD-A6-C5-43

Note: The IP and MAC address are going to be different from those used here. this is often because they’re unique.

Use the subsequent command to look at the ARP cache

arp –a
You will get the subsequent results

Note the IP address has been resolved to the MAC address we provided and it’s of a static type.

Deleting an ARP cache entry:
Use the subsequent command to get rid of an entry

arp –d 192.168.1.38

P.S. ARP poisoning works by transmitting fake MAC addresses to the switch