3

I'm learning about arp spoofing and I'm a bit confused as to how it works.

From what I gather you are on a LAN network with a victim and connected to a router. You then tell the router that you are the victim, and the victim that you are the router. The victim and the router both store this bad information in their arp cache and will send information to you, which you relay to the other side while being able to read/edit it.

What I don't understand is why the MAC address stays in the arp table. If you are telling the victim that you are the router and the real router is telling the victim that they are the router wouldn't the victim's computer automatically use whichever router it was using before?

Similarly, if the real victim and you are both telling the router that you are the victim, wouldn't the router just detect what you're trying to do and remove you from the network?

I'm sorry if this is a stupid question but LAN hacking in general is relatively new to me.

Yapoz
  • 165
  • 7
  • The problem is that at some point the information needs to pass as an electric impulse. (unless you have decent switches, which need ARP anyway) the impulse will go everywhere. Plain electricity (even considering things like machester coding) does not respect IP numbers. – grochmal Sep 30 '16 at 01:43

1 Answers1

0

The real router doesn't "tell the victim that they are the router" (by sending an ARP reply), unless it gets an ARP request from the victim (asking "who is the router?").

The victim won't send an ARP request unless the fake entry times out of its ARP cache (so that it "forgets that the attacker is the router").

user253751
  • 3,885
  • 3
  • 19
  • 15
  • Thank you for clarifying this. So when a new device connects to the network it broadcasts the "who is the router" signal? Could you clarify why (if there is a specific reason) does the victim (and the router) edit their ARP cache when they get a new spoofed message from the attacker? – Yapoz Sep 30 '16 at 04:17
  • @Yapoz Actually it doesn't broadcast "Who is the router?", it broadcasts "Who is 192.168.1.1?" (if 192.168.1.1 is the router). The ARP cache should be edited because you wouldn't want to block a device that legitimately changed its MAC address (such as by using a different NIC). – user253751 Sep 30 '16 at 04:19
  • My mistake, forgot ARP was IP -> MAC. So it knows the router's IP because that's where the traffic is coming from I'm assuming? Another confusing thing is that I thought wifi was broadcasted, so everyone can see anyone's packets (packet sniffing). Wouldn't the router then see both the victim's and the attacker posing as the victim's packets broadcast across the network? – Yapoz Sep 30 '16 at 04:36
  • @Yapoz It knows the router's IP either because of DHCP (which uses broadcasts) or because it was configured by the device administrator. – user253751 Sep 30 '16 at 05:10