Saturday, October 4, 2008

ARP Spoofing/Posining MITM

This is going to be quick overview about this man in the middle attack and then I'll write a couple of tutorials that explain how to perform it. I'll also include a tutorial that shows how you can safely surf the web on public wifi spots without worrying about someone else stealing your password.

ARP (Adresss Resolution Protocol)
Computers have 2 addresses. A layer two MAC address and a layer three IP address. When a computer wants to send packets it's needs to know the MAC address of the destination. This is where ARP comes in.

If the computer doesn't know the MAC address it will send a broadcast packet out asking who has this IP address? The node that has it will respond with a unicast packet saying that it's IP address is tied to this MAC address. Below is a screenshot of wireshark capturing some ARP packets.

Once a computer recieves a ARP packet it caches it in it's ARP table. The table is a simple mapping between IP & MAC addresses. This is also sometimes referred to as the ARP cache.

dj@dj-server:~$ arp -a
? (172.16.0.1) at 00:14:F1:61:01:C0 [ether] on eth0
? (172.16.0.10) at 00:1A:92:5B:91:9D [ether] on eth0


ARP Attack
What if a computer spoofs an ARP packet with their MAC address and uses a different IP address? One of the problems with ARP is there is no authentication. If a computer receives a new ARP packet it simply updates it's ARP table.

I'll give you an example. Lets say 2 laptops are on a public wifi spot surfing the web. One is running XP and the other some flavor of Linux. Each of these laptops would probably know the default gateway's IP & MAC address. If the Linux laptop started telling the XP Laptop that the default gateway's MAC address was it's own then the XP laptop would start forwarding it's traffic for the internet to the Linux laptop.

Now the Linux laptop is the "Man in the Middle" and he can see the XP laptop's traffic. I'll get into more details when I write the tutorials that explain how to perform this attack.

No comments: