Need help understand ARP spoofing attack?

Question

I am currently reading the network exploitation section of the book Hacking: The art of exploitation. The book covers ARP spoofing attack in brief, but doesn't go over much detail.

Before starting I would like to tell what kind of system/peripherals I would be using.

• I use a System that accesses internet via Ethernet Cable. i.e. I don't have a router, due to which I directly connect the ethernet cable to my pc (PPPOE)
• That cable goes to the electric pole, where it is connected to a switch. That switch also acts as an endpoint for other users like me as well
• A lot of these switches are interconnected with one another

I do have a fundamental understanding of the attack (rectify if wrong), which in brief goes as follows:-

• Run ARP protocol to get MAC addresses of all the live hosts in the local network

• Poison the ARP cache of hosts by sending them ARP responses (on regular interval) stating that the IP address of another system is at our mac address

• This will make them send packets which would have our MAC address in the Data-Link layer, and would reach us

I have many doubts (some regarding the above process, others are conceptual)!!

1. In order to execute the attack we needs to have IP address of other local hosts. Which I just can't seem to have.

   • I ran a Windows machine and tried using Advanced IP scanner, but ended up getting IP addresses associated to my pc (VM, Ethernet, Default Gateway).
   • Tried arp -a command, ended up getting a huge list of IP addresses of which 99% were static, few were dynamic. Some of them had MAC address entries, on others which was blank.

   So, How am I supposed to get the IP addresses of other hosts?

2. The book mentions default gateways as a target. So what exactly is a default gateways (for my setup), And how does it work?

3. Since we can poison the ARP cache to add entries to it, Is it (asking from a security perspective) possible to create entries to addresses that aren't local!! For Example. Let's say we have the IP address of 192.168.1.12 having mac 00:00:00:01, and a Facebook server has IP address 10.0.0.23. Is it possible to send a ARP response i.e. it will poison the ARP cache of a local user to make it seem like the address 10.0.0.23 is at mac address 00:00:00:01. Then would the packet sent over to the Facebook IP be delivered over to us? Or would it be filtered by the router?

4. What is the address of the first node (to me) where my data is sent over to? Like for most users it would be their router (at a basic level), but since I don't use one, what would be the first node through which my data goes?

P.S.:- Initially I posted this question on network engineering, but it got closed over there as they thought I am trying to hack a network. Firstly, I am using the above test in a controlled environment. Secondly, the questions are related to a lot more to securing stuff then to exploiting them. All I am trying to do is get a understanding about the underlying protocols.

Answer 1

In order to execute the attack we needs to have IP address of other local hosts. Which I just can't seem to have.

As you're using PPPoE, most likely you don't actually connect to the same L2 Ethernet as other customers. The switch is configured to isolate customer Ethernet ports so that they can only talk to the PPPoE server (which might indeed be the switch itself, or something further away). This is a common feature within Ethernet switches, and is something I would definitely expect an ISP to do on their customer-facing ports.

Once you establish the PPPoE connection, it only gives you a layer-3 tunnel – it doesn't carry Ethernet layer-2 headers and there is no ARP inside a PPP tunnel, because there's only one way a packet could go ("the other end of the tunnel") so the L2 addressing would be redundant. You cannot perform ARP poisoning on networks which do not use ARP.

(This also means that the PPP tunnel doesn't really have a subnet as such, and its "subnet mask" might not reflect the addresses of nearby customers at all, and might confuse IP scanners which expect the network to be a contiguous /24 or similar, while it's more like a collection of arbitrary /32's in reality.)

Generally the same applies to most VPN tunnels as well. Ethernet-like L2 VPNs do exist, but aren't the standard choice.

The book mentions default gateways as a target. So what exactly is a default gateways (for my setup), And how does it work?

"Default gateway" is shorthand for the gateway (i.e. router) that's specified in the "default route", which is the 0.0.0.0/0 route (or the ::/0 one for IPv6).

PPPoE is relevant here as well. Because L3 tunnels don't use L2 addressing or ARP, routes over L3 tunnels actually don't need a gateway address – it wouldn't make any difference to the packet headers.

So it's quite possible that your default route via PPPoE has no "default gateway".

Since we can poison the ARP cache to add entries to it, Is it (asking from a security perspective) possible to create entries to addresses that aren't local!! For Example. Let's say we have the IP address of 192.168.1.12 having mac 00:00:00:01, and a Facebook server has IP address 10.0.0.23. Is it possible to send a ARP response i.e. it will poison the ARP cache of a local user to make it seem like the address 10.0.0.23 is at mac address 00:00:00:01. Then would the packet sent over to the Facebook IP be delivered over to us? Or would it be filtered by the router?

It wouldn't even get to that point.

The ARP cache is consulted only if the routing table says it should be consulted. A host or a router won't bother looking ARP for addresses if it already knows that those addresses are non-local.

For example, if your routing table was like this (a very typical home Ethernet host),

192.168.1.0/24 dev eth0
0.0.0.0/0 via 192.168.1.1 dev eth0

then the host would know that only 192.168.1.0/24 is local and should be ARP'd (because it's a device-only route), and it would know that everything else is non-local. When the matching route has a "gateway" specified, that directly implies that the destination is non-local and so the only ARP query is made for the gateway, not for the actual destination.

_{(The only situation where this would work is if the network was configured with Proxy-ARP in mind, where the default route also has no "gateway" address (but it's still a regular Ethernet and so ARP is still in use, unlike in the PPPoE case). This would indeed make every host directly make ARP queries for any destination, with the gateway answering on their behalf. Such LANs have existed in the past, though I can't imagine them being common nowadays – they were used to achieve router failover, something which VRRP handles much better now.)}

What is the address of the first node (to me) where my data is sent over to? Like for most users it would be their router (at a basic level), but since I don't use one, what would be the first node through which my data goes?

In terms of IP (layer 3) nodes, in your case that would be the ISP's system which handles the other end of the PPPoE tunnel. You might be able to see its IP address from traceroute or tracert results.

(Again, it's PPPoE that makes you seem to get different results than the rest. If it weren't in use, you would just have a normal default route, and the first node would simply be the ISP's router whose address shows up in your routing table.)

Still, in any case, the next node for an IP packet (if it's not the final destination) will be a router. If it's not your router, then it will be the ISP's router.

Answer 2

Network Engineering was right, you are trying to hack the network. If your system is connected directly to your ISP without a router/firewall in between, then your attempts to poison arp caches will impact fellow ISP customers. This is bad and thus considered hacking.

Build out your own private LAN or create a virtual environment to perform this (and future) testing.