1

I came across an infosec presentation from a conference which discussed how ICMP packets can be used to compromise a connection between two machines. More specifically, they described the process as:

The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. As a response, an illegitimate ARP replay is generated and effectively routes the victim's traffic to the attacker's machine.

But it is not clear to me how this works and how the attacker exactly would be able to compromise the connection. Could you please explain this further? Additionally, why would someone use this approach?

Irene Ant
  • 659
  • 7
  • 19

1 Answers1

0

ICMP here is not used to perform the MITM attack, but indirectly to enable it. In short, it's used to circumvent ARP spoofing protections:

  1. Some MITM attack (not specified in the citation) is the goal.
  2. ARP spoofing is used as a tool to alter victim's routing, helping in gaining MITM position.
  3. Different operating systems handle unsolicited ARP responses differently i.e. the OS can reject them. The ICMP packet is used to make the victim's OS try and connect the machine it tries to reply. If the destination IP / MAC pair is not already cached, it invokes an ARP request. After that, the ARP response becomes expected.

Despite the chronological order is actually 3-2-1, the reasoning is easier to understand if you start from the expected results and then ask how to achieve them. In other words, you have read a story of the execution of an attack, whereas a story of how the attack was planned would have been more educative.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55