ARP Cache

Poisoning
How the outdated Address Resolution Protocol can be easily abused
to carry out a Man In The Middle attack across an entire network.

Scott Helme - 6th Aug 2013 -

scotthel.me
 Introductio
n
The Address Resolution Protocol (ARP) facilitates communications on a
Local Area Network (LAN).

It does this by providing a means for clients to resolve a Layer 3 Internet

Protocol (IP) Address (192.168.1.5) to a Layer 2 Hardware Address
(af:23:b4:7d:f5:c9) or Media Access Control (MAC) address.

The ARP protocol employs no form of security or authentication and is a

simple request and reply protocol.
 Example
For Scott to send packets to Dave
over the LAN he needs to know
Daves MAC address.
Scot Dav
t ARP Request e

Who is 192.168.0.6,
FF:FF:FF:FF:FF:FF?
Im Scott, 192.168.0.5,
A3:DD:B4:12:3A:4F.
ARP Response

Hi Scott, 192.168.0.5,
192.168.0.5 192.168.0.6
A3:DD:B4:12:3A:4F.
A3:DD:B4:12:3A:4 B7:C2:11:F2:BB:E
Im Dave, 192.168.0.6,
F 6
B7:C2:11:F2:BB:E6.
 Example

Scott was able to send the ARP request to Dave

without knowing his MAC address by using the
Scot broadcast address FF:FF:FF:FF:FF:FF.
t
A packet with the broadcast address as the destination
is delivered to every client on the current LAN
segment, ensuring Dave will receive it. Once we have
Daves MAC address, we can send packets to him
instead of everyone on the network.
ARP Request

Who is 192.168.0.6,
192.168.0.5 FF:FF:FF:FF:FF:FF?
A3:DD:B4:12:3A:4 Im Scott, 192.168.0.5,
F A3:DD:B4:12:3A:4F.
 Example

Dav
When Dave received the ARP request, he identified it e
was for him and responded to the request using the
details in the initial request.

ARP Response

Hi Scott, 192.168.0.5,
A3:DD:B4:12:3A:4F. 192.168.0.6
Im Dave, 192.168.0.6, B7:C2:11:F2:BB:E
B7:C2:11:F2:BB:E6. 6
 Example

Scot Dav
t e
Now Scott and Dave have exchanged
details they can communicate with each
other directly. They both store a record
in their ARP Cache of the other clients IP
and MAC address so they can perform a
lookup later if needed. This prevents the
need for subsequent ARP requests and
reduces network traffic.
192.168.0.5 192.168.0.6
A3:DD:B4:12:3A:4 B7:C2:11:F2:BB:E
F 6
 The
Problem
Scot Dav
t e

During the ARP request/response

exchange neither client took any steps
to verify the identity of the responding
client, or the authenticity of the
response sent. This presents an
opportunity for a 3rd party to
impersonate clients on the network.
192.168.0.5 192.168.0.6
A3:DD:B4:12:3A:4 B7:C2:11:F2:BB:E
F 6
 Attacke
r The
Problem
ARP Requests are sent to
192.168.0.7 all clients on the network
C4:D3:46:B1:EE:B as they use the broadcast
A MAC address
FF:FF:FF:FF:FF:FF.

Scot Dav
t e

192.168.0.5 192.168.0.6
A3:DD:B4:12:3A:4 B7:C2:11:F2:BB:E
F 6
 Attacke
r The
Hi Scott, 192.168.0.5,
A3:DD:B4:12:3A:4F.
Problem
ARP Responses are not
Im Dave, 192.168.0.6, verified and if any client
C4:D3:46:B1:EE:BA. receives a new response
192.168.0.7
C4:D3:46:B1:EE:B they will update their ARP
A cache assuming the
sender has changed their
MAC or IP address.

Scot Dav
t e

192.168.0.5 192.168.0.6
A3:DD:B4:12:3A:4 B7:C2:11:F2:BB:E
F 6
 Attacke
r The
Hi Scott, 192.168.0.5,
A3:DD:B4:12:3A:4F. As
Problem
long as the attacker
Im Dave, 192.168.0.6, regularly sends the forged
C4:D3:46:B1:EE:BA. response to the target (Scott),
192.168.0.7 they will continue to send traffic
C4:D3:46:B1:EE:B to the wrong location. If the
A Attacker then resends the traffic
to the correct destination there
is no interruption on the LAN
and Dave is not aware the
Scot Dav his traffic.
Attacker can view
t e

192.168.0.5 192.168.0.6
A3:DD:B4:12:3A:4 B7:C2:11:F2:BB:E
F 6
 Attacke
r The
To Dave, To Problem
Dave,
192.168.0.6, 192.168.0.6,
C4:D3:46:B1:EE:BA. B7:C2:11:F2:BB:E6.
The password is The password is
SuperSecret1234. 192.168.0.7 SuperSecret1234.
From Scott, C4:D3:46:B1:EE:B From Scott,
192.168.0.5 A 192.168.0.5
A3:DD:B4:12:3A:4F A3:DD:B4:12:3A:4F

Scot Dav
t This is a successful e
implementation of a MITM
attack and allows the
attacker to view all traffic
sent by Scott to Dave.
192.168.0.5 192.168.0.6
A3:DD:B4:12:3A:4 B7:C2:11:F2:BB:E
F 6
 Clie

Clie
nt The Scope
nt

Attacke
r
Clie At this point, the attacker can
nt choose which targets on the network
he wants to MITM and impersonate
them using forged ARP packets to
poison their ARP Cache.
192.168.0.7
C4:D3:46:B1:EE:B
A
Clie
nt
Clie
nt
 A gratuitous ARP can be sent by a
client at any point, usually when their The Bigger
IP address or MAC address has
changed for some reason. This allows
other clients to update their ARP
Problem
cache and maintain current records.
An attacker can send out a forged
gratuitous ARP without needing to
wait for an ARP request from a target
on the network.
Attacke Default
Broadca
r Gateway
st
To Everyone!
Here are my updated details!
192.168.0.1
C4:D3:46:B1:EE:BA
192.168.0.7
C4:D3:46:B1:EE:B
192.168.0.1
A The attacker has just told all clients D7:AD:F1:C3:A4:D
on the network that he is the 9
default gateway!
Clie
nt The Bigger
Clie
Problem
nt
Default
Attacke Gateway
Clie
r
nt

Clie
nt
192.168.0.7
192.168.0.1
Clie C4:D3:46:B1:EE:B
D7:AD:F1:C3:A4:D
nt A
9

Clie Here the attacker can monitor all Internet traffic on the LAN that
nt isnt being sent using TLS. He could also simply not forward on
the traffic and bring the entire network down as no clients would
be able to communicate at all. This is known as a Denial of
 Mitigatio
There is no replacement for ARP on a LAN so ARP Cache
Poisoning is a difficult threat to defend against. n
You can create static ARP entries on client machines for
important things like the default gateway. The only
problem is if the IP or MAC genuinely changes no client
will listen to the new details and depend upon the
incorrect static entries which now need to be updated.

ARP Cache Poisoning actually has genuine advantageous

uses. If a web server on your LAN went down, you could
invisibly direct all clients to a backup server without
needing to alter any configurations. Simply broadcast a
forged ARP packet with the MAC address for the new
server.

You can employ monitoring software to listen and try to

detect forged ARP packets. They are easy to spot by
maintaining a historic record of ARP broadcasts and
looking for an ARP packet with the same IP address but a
 Conclusio
n
Whilst you could statically assign all ARP entries on the
network this is not a realistic solution and near impossible to
maintain on large networks. Detection software can let you
know when someone is attempting to ARP poison clients on
your network and event attempt to mitigate it but this is still a
reactive measure and not a form of prevention. ARP Cache
Poisoning presents a serious threat over a LAN (this includes
WiFi) which stems from an inherent lack of security in the
protocol itself. The easiest way to protect your Internet traffic
whilst using a network that may contain malicious clients is to
use sites protected with TLS. As TLS offers end to end
encryption the attacker would only be able to view the
encrypted version of your traffic and as such it is useless to
them. There are of course other options like using a Virtual
Private Network (VPN), which will be covered in a later
presentation, but require considerable cost and maintenance.
 Thanks

You can find more info covering this and other forms of attack on
my blog:

http://scotthel.me

Please feel free to share this information generously but do

provide attribution back to my site.

This work is licensed under the Creative Commons

Attribution 3.0 Unported License. To view a copy of this
license, visit http://creativecommons.org/licenses/by/3.0/