How does ARP Poisoning work if the IP address is wrong?

3

2

TLDR ARP Poisoning doesn't change the IP dst in the table so why does spoofing the MAC under another IP address help to redirect the traffic?

Any video I find explains that the goal of ARP poisoning is to send an unsolicited message to 'overwrites' the host's & router's ARP table so that the MitM attacker's MAC address is associated with both so that they look like so:

Victim: aa:bb:cc:dd:ee:ff (192.168.1.100) Router: aa:bb:cc:dd:ee:ff (192.168.1.1) MitM Machine: aa:bb:cc:dd:ee:ff (192.168.1.199)

In this way both end up sending to the Man in the Middle who will then forward to the endpoints 192.168.1.199 and 192.168.1.1, which actually had another MAC address.

...My question is how does that work? If you are tricking these devices into associating the wrong MAC with the correct IP, how is the traffic actually re-routing? What I mean is how I see it is like this:

Victim > packet to router at 192.168.1.1 > gets to router and opens up the packet to find that the MAC is wrong?

SomeRandomGuy12345

Posted 2015-07-16T06:53:05.523

Reputation: 33

Answers

1

How does ARP Poisoning work if the IP address is wrong?

It's normally called ARP Spoofing, but also referred to as ARP Poison Routing (APR) or ARP Cache Poisoning.

ARP Poisoning doesn't change the IP destination in the table so why does spoofing the MAC under another IP address help to redirect the traffic?

  • Hubs, Switches and the Lan side of a Router route data using the MAC address contained in the Ethernet data frame.

  • During the attack the ARP table entries for the victim's IP address will contain the MAC address of the attacker.

  • When any data is sent to or from the victim's IP address it will be be routed to the attacker's MAC address.

The goal of ARP poisoning is to send an unsolicited message to 'overwrites' the host's & router's ARP table so that the MitM attacker's MAC address is associated with both.

No, this is not correct.

  • The ARP table entries for the victim's IP address will contain the MAC address of the attacker.
  • The ARP table entries for the router's IP are not changed.
  • The attacker can choose to forward traffic from the victim's IP address to the router but he doesn't have to.

See What Happens Next below for more information.

What Is ARP Spoofing?

ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.

Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address.

ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.

Source Veracode ARP Spoofing

How does it work?

ARP spoofing attacks typically follow a similar progression. The steps to an ARP spoofing attack usually include:

  1. The attacker opens an ARP spoofing tool and sets the tool’s IP address to match the IP subnet of a target. Examples of popular ARP spoofing software include Arpspoof, Cain & Abel, Arpoison and Ettercap.

  2. The attacker uses the ARP spoofing tool to scan for the IP and MAC addresses of hosts in the target’s subnet.

  3. The attacker chooses its target and begins sending ARP packets across the LAN that contain the attacker’s MAC address and the target’s IP address.

  4. As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.

Source Veracode ARP Spoofing

What happens next?

The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default gateway to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

Source Wikipedia ARP spoofing

Further reading

DavidPostill

Posted 2015-07-16T06:53:05.523

Reputation: 118 938

Ah thanks.. I can't really find a model of how MAC addresses are actually used in the routing. I thought the IP was always used to route. On the LAN side it just says "send this data to this MAC" and off it goes through the switches and router (LAN side)? ... I see what you mean now that the MitM simply forwards it on to the router and perhaps uses itself as the return MAC address. – SomeRandomGuy12345 – 2015-07-16T12:18:21.510

@SomeRandomGuy12345 OSI layer : Ethernet and IP address has a nice explanation

– DavidPostill – 2015-07-16T12:24:27.720

0

For example, in a LAN connected by a switch, the switch will not decapsulate the packet until the Network Layer(Layer 3 of the OSI). It will only check the MAC from it's CAM table and forward the packet on the proper port. That's why the IP is not checked especially when the switch's CAM table is already populated.

krato

Posted 2015-07-16T06:53:05.523

Reputation: 123

0

When the packet is sent on the link-layer network, it's sent to the attacker's MAC address, so it's the attacker that gets it, not the intended recipient.

Let's make this a little more concrete by specifying the link-layer network. Let's take Ethernet for example. Ethernet NICs only know about their own (Ethernet) layer. They don't know what IP is, so they have no idea how these packets may be addressed at the IP layer. That's all a bunch of opaque payload bytes to the Ethernet NICs. The sending NIC just knows it was handed a frame for aa:bb:cc:dd:ee:ff, so it puts that destination address on it and transmits it. Only the attacker's NIC is programmed to look at frames addressed to aa:bb:cc:dd:ee:ff, so only the attacker's NIC receives the frame by passing it up to its host's OS's network stack.

Spiff

Posted 2015-07-16T06:53:05.523

Reputation: 84 656

"When the packet is sent on the link-layer network, it's sent to the attacker's MAC address, so it's the attacker that gets it, not the intended recipient."

This very first line is my problem. Why is that the case? I must have some fundamental misunderstanding. It sounds like LAN routing doesn't work on IPs basically and IPs are only used to discover MAC addresses?

I can't see how we get beyond the victim sending information intended for a certain MAC address to the wrong party. Yes, it now expects the router to have the mac address of aa:bb:cc:dd:ee:ff, but nonetheless the IP is the router – SomeRandomGuy12345 – 2015-07-16T10:06:06.337

If "The sending NIC just knows it was handed a frame for aa:bb:cc:dd:ee:ff, so it puts that destination address on it and transmits it." is true then from what I understand that will STILL be 192.168.1.1 according to the poisoned ARP table, despite the fact that the MAC for that router in ARP has been poisoned to show the MitM machine's MAC? – SomeRandomGuy12345 – 2015-07-16T10:12:52.110

Asked: 2015-07-16T06:53:05.523

Viewed: 3 437 times

Active: 2015-07-16T11:42:14.517