5

How can a ARP-Poisoning attack work in a mixed (wireless and wired) network?

Assuming that the attacker is connected to the network via wireless connection and the target is a computer connected to the network via wired connection, how would the ARP poisoning traffic go across the wireless to the wired network? Why would the router forward the ARP poisoning from the wireless to wired network?

Eric G
  • 9,691
  • 4
  • 31
  • 58
reqe
  • 51
  • 1
  • 1
  • 2
  • How it can work.. well.. it can work so that the attacker poison the packets so that the victim will connect to the attacker, and then the attacker can sniff, and more, to those packets. It is ofc important that the attacker remembers to redirect the traffic though a real internet access point, and that could be the wireless router itself. Not sure what you want to know, if you have some more specefic question, ill try and answer that or someone else will :-) – Daniel Sep 07 '13 at 08:37
  • also read this for some info: http://openmaniak.com/ettercap_arp.php – Daniel Sep 07 '13 at 08:39
  • Open Wifi ou WPA? – curiousguy Sep 08 '13 at 03:05

2 Answers2

8

ARP is local to a network "wire". In traditional Ethernet, there was a single cable going through all machines in a LAN; the full network is then a collection of LAN, linked together through special machines (routers) who have several ethernet cards, one on each LAN to which the router is connected. When an IP packet must travel from machine A to machine B, it must hop from router to router, and each hop is an emission on a LAN: when the packet jumps from router R to router S, then it means that routers R and S are part of the same LAN. R got the packet from another LAN (to which R is connected as well), and S will send the packet to yet another LAN, which S is part of, as well as the next router.

Nowadays, the "wires" are more virtual. We use twisted pair cables and switches, but they collectively maintain the shared medium model which is what the shared wire embodied in older times.

ARP is the protocol which allows machines from the same LAN to talk to each other. In our example above, router R wants to send a packet to router S, which R knows by IP address. But, on the LAN, R must tag the packet with the MAC address of S, so that S sees it. ARP is the way by which R obtains the MAC address of S: R emits a broadcast packet (the packet is tagged as "for everybody" and every machine on the LAN will see it and consider it), and that packet asks for the MAC address of S. One machine (usually S itself) responds with an ARP response which contains the needed information.

ARP poisoning is the method by which an attacker, who controls another machine on the LAN with R and S (let's call it T), tries to redirect traffic from R, thus posing as a fake S. The attackers tries to do two distinct things:

  1. The attacker wants to see the packet from R to S.
  2. The attacker wants to prevent the genuine S from seeing the packet from R.

In the "shared wire" model, point 1 was automatically achieved, because, by definition, every packet on the wire was electronically visible by all machines connected to that wire (it is just that machines are trained to disregard packets which do not bear their MAC address as destination, unless the packet is tagged "broadcast"). However, with switches, this is not so easy: switches try to keep track on where is each machine, and avoid sending packets on irrelevant cables.

In any case, to achieve point 2, the attacker must do something else, namely convince router R that S's MAC address really is the MAC address of machine T. This "convincing" is what the ARP poisoning is about. Router R, and also the switches, remember the mapping of S's IP address to S's MAC address; the part in which they remember that is called the ARP cache. The ARP poisoning is thus, mostly, a big spamming of everybody on the LAN with fake ARP responses which will convince both R and the intervening switches that the MAC address corresponding to the IP address of S is the MAC address that the attacker has chosen, namely that of the T machine (that the attacker controls).

In any case, ARP poisoning works or even makes sense only within a given LAN. It operates at ethernet level, not IP ("level 2" is in the terrible layered OSI model). An attacker can pull it off only if he gets his foot in one of the LAN through which travel the packets he is interested in.

This long preamble then reveals the answer to your question, i.e.: it depends. Namely, it depends on how the wireless access point is configured. The access point may be a router, connected to two distinct LAN, one for the WiFi machines (their shared medium is then the radio waves), and one for the wired (Ethernet) machines. In such a setup, the WiFi machines know the AP as a router with its own address, and when they want to talk to a wired machine, they talk to the AP. Each LAN has its own ARP traffic. ARP poisoning does not, in that case, work over a communication from a WiFi machine (A) to a wired machine (B): by construction, machine A never learns the MAC address of machine B, since it is not on the same LAN. If A never knows that MAC address, it cannot be convinced to use a fake address: it uses no MAC address at all for B, only an IP address. B is non-local to A.

At best, an attacker on the WiFi LAN may try to convince other machines that the router's MAC address (the access point) is something else, but the router itself will probably remain unmoved: the knowledge of a machine of its very own MAC address is normally impervious to cache poisoning.

However, if the AP is a bridge, then there is only one LAN, which spans over both the wired and the WiFi machines. ARP requests and responses flow throughout. The access point is then not a router at all, or at least not a router which links the two LAN together, since there is only one LAN. The AP might not even have a MAC address or an IP address at all. In that case, ARP poisoning works well: the WiFi access point is just a "kind of switch" which happens to use radio waves as physical medium.

Most "home wireless routers" are both a bridge and a router. They do a bridge between the WiFi machines, and the wired machines connected to its "internal" plugs. They also pose as routers, linking to another LAN embodied by the single "uplink" plug, which is supposed to go to the cable/ADSL modem. ARP poisoning will work well from the WiFi to the wired machines and back, but not towards the cable/ADSL modem.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
3

Regardless of where you are connected, if you are able to do ARP poisoning, that is you let all traffic headed towards the gateway of the network come to you, you will get all traffic and you will be able to intercept it.

Q: The router would need to forward the wrong information about its own IP. Doesn't it recognize?

In ARP poisoning, you are not communicating the wrong information through the router, you are directly talking to the end client. Keep in mind that you must share layer two connection with the victim to be able to poison the ARP. There are situations when wireless and wired networked devices share the same VLAN and hence, ARP poisoning is possible. If you and the victim are on two different VLANs (subnets), you can not do ARP poisoning.

AdnanG
  • 707
  • 2
  • 8
  • 18