3

I am unable to understand fully how ARP spoofing attacks are successful.

Assuming three PCs are connected to a single switch

PC-1 - IP address 192.168.1.1, MAC: AA:AA:AA:AA:AA:AA

PC-2 - IP address 192.168.1.2, MAC: BB:BB:BB:BB:BB:BB (ARP Spoofer)

PC-3 - IP address 192.168.1.3, MAC: CC:CC:CC:CC:CC:CC

So when PC-1 pings 192.168.1.3, it will broadcast an ARP request and PC-2 will respond saying that I am 192.168.1.3 and my MAC is BB:BB:BB:BB:BB:BB

After PC-1 adds this ARP reply to its table, the ping packet from PC-1, will have a Destination IP address of 192.168.1.3 and a destination MAC of BB:BB:BB:BB:BB:BB.

The ARP spoofer NIC (PC-2) will recieve this frame because it is addressed to its MAC address, but wouldn't the packet be dropped as it passed up the TCP/IP stack at the IP layer as as the ARP spoofer has a different IP (192.168.1.2) to the destination IP of the packet (192.168.1.3)?

jamie754
  • 31
  • 1

1 Answers1

3

In many cases, the attacker doesn't need to be configured with the victim IP:

  • If they only want to capture packets intended for the other IP, assuming the attacker can capture raw packets on their system.
  • If they're spoofing to overload or DoS the network, e.g., a MAC table overflow attack.
  • If they're sending data via UDP/ICMP, either to exfiltrate data or to provide a false trail pointing at the victim's IP

In some cases, the attacker might need to configure their system to use the victim's IP - when they're actively masquerading as the victim, and are taking steps to block the victim from disrupting connections. But those cases are relatively rare, compared to the abuses above.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • If the attackers intention is only to capture packet, they can just listen on the port and do this? Because they are connected to same switch here. Do they need to really ARP spoofed? – Sayan Jul 25 '18 at 00:54
  • @Sayan on a switch, packets are only sent to the appropriate ports, and ARP spoofing is one way of tricking the switch to be able to peek at packets destined for another system. On an un-switched network, you're right, the spoofing isn't necessary for just listening. But most networks are switched these days... – gowenfawr Jul 25 '18 at 02:09
  • On the first point about capturing raw packets, does this mean that the attackers NIC would have to be in promiscious mode to capture these raw packets, or do they automatically bypass the TCP/IP stack processing and can be viewed directly in a sniffer application without promiscious mode? – jamie754 Jul 25 '18 at 09:16
  • @Gowenfawr, Unless you've configured VLAN, all the ports will be in same Broadcast Domain. Hence sniffing/listening traffic is possible... – Sayan Jul 25 '18 at 12:11
  • @Sayan if you only want to sniff broadcast, then there's no need to spoof ARP at all because the point of broadcast is that everybody sees it :) – gowenfawr Jul 25 '18 at 14:30
  • @jamie754 when I say 'capture raw packets' I mean 'promiscuous mode', but it doesn't matter. "In non-promiscuous mode, when a NIC receives a frame, it drops it unless the frame is addressed to that NIC's MAC address or is a broadcast or multicast addressed frame" ([Wikipedia](https://en.wikipedia.org/wiki/Promiscuous_mode)) so packets with your host's *MAC* on it - which is what you're getting, by spoofing - will be read in non-promiscuous mode despite the IP address mismatch. – gowenfawr Jul 25 '18 at 14:46