3

Can anyone tell me how ARP Poisoning exactly works?

Because I was sure that worked as I stated here.

But I've been told that is not how ARP poisoning works. That the path I've mentioned in the link is wrong, because the correct one would be:
target(C)--> router(A)--->attacker(B) -->router(A)--> internet.

And I've been told that due to the path mentioned above, I wouldn't need the PTK to decrypt the traffic because the router would decrypt the traffic for me.

So, which one is correct?

Community
  • 1
loopOfNegligence
  • 177
  • 1
  • 11

2 Answers2

1

From a brief look - both descriptions are essentially correct as 802.11 is talking via the router (think of it as a switch in this context) to reach your box. From a higher layer perspective (the border between L2 and L3 - which ARP essentially is) your model is correct. (Victim > Attacker > Router)

From a lower layer possibly the border between L1 and L2, both devices are speaking to the router, so (Victim -> AP -> Attacker -> AP -> Router -> Internet)

So the victim device addresses a packet to the attacker, and in the process encapsulates that in an 802.11 packet addressed to the Access Point. The Access Point decapsulates and decrypts that packet, encrypts and encapsulates that packet addressed to the attacker.

To answer your other question, if it works, then yes it does circumvent the transient key (bearing in mind you already know the password to access the network).

The OSI model isn't great in practice but it's still how I think of things...

As an aside every WiFi router I've tried in the past few years (only a handful) has detected the ARP spoofing and either blocked, or repoisoned the victim with the correct address, as it realises it something is amiss. I doubt that is so common with AP's because the router is a separate device which the AP isn't so aware of. I rarely try it as in most cases its just easier to deauth the target, then capture the transient key on reconnection.

user2867314
  • 610
  • 3
  • 12
  • I didn't get the path "Victim -> AP -> Attacker -> AP -> Router -> Internet" and I don't see honestly how can the L1 can be related with the path that you've mentioned, because L1 shouldn't simply convert the bit stream into physical signal? – loopOfNegligence Mar 08 '17 at 15:40
  • Well WiFi does have a physical layer as you describe, but it also has its own datalink layer that encapsulates the "normal" datalink stuff (hence the bordering of levels). So without monitor mode, you can run wireshark and see the MAC of the victim talking to the MAC of the attacker. However, if you were to look at in monitor mode, this is all going via the AP BSSID's due to the additional encapsulation.. Its closer L2, but at a lower level, hence why i say L1/L2 border (and that the layer model isn't great in practice!) – user2867314 Mar 08 '17 at 16:12
  • And I used AP instead of router to clarify, wireless devices are communicating via an Access Point, not the Router - the functions just reside on the same device in most consumer cases (which is a common cause of confusion). They do not have to be the same device. The access point can be looked at as a switch, and transparent to the ARP poisoning process in your described example. – user2867314 Mar 08 '17 at 16:26
  • Yes, I used "router" because usually the AP it's inside the router. So, you're saying that in monitor mode I would be able to see the victim's MAC communicating with the AP BSSID's when otherwise I would see the victim's MAC communicating with the attacker's MAC. But I still don't understand the reason of this path that you've mentioned, it's not logical when instead "Victim > Attacker > Router" it is. Anyway, what you just said for me is L2, I don't exactly know what you mean by saying "L1/L2 border". P.S. I want to add that my AP "repoisoned" the victim with the correct address. – loopOfNegligence Mar 08 '17 at 17:50
  • Can you tell me more about what you find confusing about the path? I am assuming both the attacker and target are both connected wirelessly, and the ARP spoof was successful for that flow, so the target sends the packet to internet (IP) via the attacker (Datalink) via the connected access point (also Datalink). The access point reencrypts that packet using the attackers transient key, then the attacker forwards to the real gateway (again via the AP) where it reaches the internet. So yes it does get around the attacker having to capture the victims transient key – user2867314 Mar 09 '17 at 12:06
  • P.S thats interesting yours does it too. I'm sure I've successfully ARP spoofed over wireless in the fairly distant past (2008/2009). The last few times I tried the devices didn't let me (2011-12), and I never tried again or thought any more of it until I saw this question. – user2867314 Mar 09 '17 at 12:09
  • P.P.S: I think this is a helpful read for understanding the frame: http://www.wildpackets.com/resources/compendium/wireless_lan/wlan_packets and also, next time I'm able to test WiFi on a standalone AP wired to a separate router, I'll see if the AP corrects the ARP there too. – user2867314 Mar 09 '17 at 12:15
  • Yes, both the attacker and target are both connected wirelessly. About the path that you've mentioned (the one you said is between L1 and L2) I don't understand why the victim send the frames to the AP instead of directly to the Attacker. Again, for me the logical one is "Victim > Attacker > Router" and vice-versa. Anyway, you said the AP encrypts the traffic with the PTK of the attacker so when we receive the frames directly from the AP we are able to decrypt and read the traffic. But when we receive the frames directly from the victim, which encryption the victim has used? – loopOfNegligence Mar 10 '17 at 17:02
  • Reply P.S: basically, looking at the arp table on the victim machine I've noticed that the record regarding the gateway was changing constantly, back and forth between the actual MAC address of the gateway and that of the attacker. – loopOfNegligence Mar 10 '17 at 17:20
  • I can think of a few reasons why, one is all the devices that talk over wireless would need to know the PTK of all other wireless devices in order to communicate which is fine, but not so easy to manage connections coming and going as keys need to propogate, the second being signal - two devices on opposite sides of the AP might be out of signal range of each other, but able to talk to the AP. There certainly are wireless protocols that allow devices to talk directly, for example mesh protocols, or ad-hoc networks, but the "normal" mode, infrastructure mode, all comms go via the AP. – user2867314 Mar 13 '17 at 09:32
0

Simplistically, the ARP protocol is a way to map your hardware address (Physical Address) with an IP Address. Since HW Addresses are unique, it provides routers a means to know which computer to send to on the data link layer.

ARP Poisoning is a method of attack where the attacker sends ARP messages advertising their Physical Address as being associated with a target IP and router. Target systems will send data to the attacker since it appears to be correct destination.

This is true of WiFi and Cabled local systems as ARP is local network protocol.

Basic Description (Which is what I think your diagram shows:

  • Attacker tells Target Server that the Router is at 192.168.1.1 with HW ADDR: AA:BB:CC:DD:EE:FF
  • Attacker tells Router that the Target Server is at 192.168.1.2 with HW ADDR: AA:BB:CC:DD:EE:FF
  • Target server thinks the routers HW ADDRR is AA:BB:CC:DD:EE:FF and via the Data Link and sends to the attacker.
  • Attacker interprets, sniffs it's data, and sends it on the router.
  • Router get the info thinking that it's coming from the Target

There seems to be confusion in the linked thread, but to point others are making, Sniffing WiFi and decrypting it's encapsulation algorithm and ARP spoofing a different things.

Shane Andrie
  • 3,780
  • 1
  • 13
  • 16
  • "Attacker interprets, sniffs it's data, and sends it on the router." So, when the attacker receives the data from the victim, the traffic is encrypted or already decrypted? I mean, the attacker before forwarding the data to the router, is able to read the received data? – loopOfNegligence Mar 09 '17 at 11:51
  • Depends on where you encrypt. In order to actually ARP poison you need to be on the local network (I.E have an IP assigned), So for WiFi you'd either have already sniffed and decrypted the network authentication, or already have access to it. After that it's dependent on the network communication if traffic is encrypted or not. – Shane Andrie Mar 10 '17 at 20:19
  • Yes, I'm on the local network because I have access to it. But, every client connected has a different PTK, right? So, when I (attacker) receive the frames from the victim, how am I able to read the frames just received? It’s because the victim used the PTK of the attacker to encrypt the frames? Or simply because, even if the victim used his own PTK, the attacker is able to calculate the PTK of the victim? – loopOfNegligence Mar 11 '17 at 15:33