ARP Spoofing and Detection/Prevention

No replies
Joined: 2016/07/07

Address resolution protocol or ARP is a protocol that is used to get the hardware address (MAC) of a device on the network with its IP address (Network Layer). RARP does the opposite of ARP; it will look up the IP address with the MAC address. RARP works a little differently, it will send out a broadcast asking who has the MAC address, a RARP server will then respond with the nodes IP address. ARP is commonly used in Ethernet networks but can also be used in other types of networks. Ipv6 doesn’t use ARP, but rather NDP (Network Discovery Protocol). In order for Ethernet to send data it needs the MAC address of the receiving device.
A MAC address uniquely identifies a device on the network and is in the Data Link level (level 2) of the OSI model. These MAC addresses are burned into the network card by the manufacture and are should be the only one in the world. The first 6 digits of the MAC address is assigned to the network interface card is the manufacture ID and the last 6 is the cards serial number. You can change your MAC at the software level (it wont change the burned in MAC address on the NIC) fairly easily.
In linux type the following command:

ifconfig eth0 down hw ether 00:01:02:03:04:05

Now bring up the interface

Ifconfig eth0 up

In Windows you can change a registry value.

1. Browse to ”HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}”
2. You will see several subkeys that are 4 digits long, these keys represent your network adapters. You will find a key called ‘DriverDesc’ under these subkeys which displays the description of the network adapter. Find the one you want to edit
3. Edit or create a string called ‘NetworkAddress’ and place your new spoofed MAC address into it, ex 00-01-02-03-04-05.
4. Restart your network interface

Also in windows some network devices have a built in feature that you can use to change the MAC address.
1. Open the device manager
2. Go to the properties of your NIC
3. Click on the Advance tab and look for NetworkAddress
4. Change that value (ex 00-01-02-03-04-05)
5. Restart your network interface

When your computer requests network resources (web pages, network shares, etc..) your computer first checks it's route table to figure out where to send the data. Once it knows where to send the data to your PC needs to find the MAC address of the node that will be receiving the data, most likely your gateway router if going on the internet. It does this by checking its ARP cache. If it doesn't have the hardware address in it's cache it will send out a broadcast (MAC address FF:FF:FF:FF:FF:FF) requesting the MAC address of the device that has that IP address. Generally the device with the MAC address being requested will respond to the broadcast, but theoretically any device on the network that hears the broadcast and knows the MAC address can respond. When a device responds it doesn't send out a broadcast with the information, it just replies to the requesting device. Now that your machine has the MAC address, it added it to the Ethernet frame and sends the data.
When a network device hears or receives an ARP broadcast request it will store the information in it's ARP cache. The amount of time that your device keeps the cache ARP information in it's system is up to the operating system. Any device on the network can send an ARP reply to another device and that device will store the information in its ARP cache even if it didn't request the information.
You can view the ARP cache with the “arp” command. In most Linux distros you just type 'arp' and that will display the ARP cache. In windows you would want to add the -a switch, so 'arp -a'. With this command you can also delete entries by typing 'arp -d IP address', this works in Linux and in Windows. You can also add static entries by typing 'arp -s IP address MAC address', this also works in Linux and Windows. More about static entries later.
With ARP spoofing (also known as ARP poisoning) you are tricking your target into thinking that you are the device who they want to send its data to. So for example you want all internet traffic from the target to go to your machine, you would tell the target that your machine's MAC address is the MAC address of the gateway. Then you would want to tell the gateway that the target's MAC address is yours. This way both traffic flow is heading to your machine. Start up your favorite packet sniffer and your good to go. Of course you will want to make sure that you are forwarding the data and not not storing it, if not your target wont be able to send data to it's original destination.
There are lots of tools available that you can use to perform ARP spoofing, we will go over a few tools (there are plenty of articles discussing how to ARP spoof). My test environment consists of an Ubuntu laptop (using wireless), a desktop machine running Windows XP (wired), and another Ubuntu desktop running VMware with Windows XP as a guest operating system (also wired).
The first tool that we will go over is Ettercap. Ettercap is an opensource tool that runs on Windows and on Linux operating systems. To ARP spoof with Ettercap:
1. Launch Ettercap, in linux type ettercap –G which will bring up the GUI (you don’t have to use the GUI, but we will in our example).
2. Click on ‘Sniff’, then ‘Unified sniffing’. You could use ‘Bridged sniffing’ if you had two network interface cards on your machine; I don’t so I won’t be using that method.
3. Select your network interface
4. Add your targets, if you skip this step you will ARP spoof your entire network segment which I wouldn't recommend. Select ‘Targets’ then add your targets, the gateway on one side then the target on the second.
5. Click ‘Mitm’ then ARP poisoning

What this does is tells the gateway that you are the target machine and tells the target machine that you are the gateway, now all of the traffic going to the internet from your target machine will go to your machine, then your machine will forward it to the gateway (Ettercap automatically forwards the data). As noted earlier when any devices sends an ARP request your machine will cache the information. When Ettercap hears an ARP request with your targets it will immediately send an ARP reply to your targets with its MAC address. Just a note, I have noticed on my VMware machine that Ettercap sometimes is a little slow to respond to these ARP requests and as a result your target will get the correct MAC address for a short period of time (a few seconds).
The next tool is a linux tool called arpspoof, and it is included in the dsniff suite. Before you run it you will want to forward the packets instead of dropping them, you do this with the following command on most Linux distros:

Echo 1 > /proc/sys/net/ipv4/ip_forward

And you can check it with:

Cat /proc/sys/net/ipv4/ip_forward

You should get a ‘1’ back.

Now you are ready to ARP spoof, you will need to open two command prompts, this is because you want to ARP spoof both targets, this tool does not do it automatically like Ettercap. On your first command prompt type:

arpspoof –i interface –t your target gateway

ex arpspoof –i eth1 –t

Then on your second one type:

arpspoof –i eth1 –t

You are now spoofing your targets. Arpspoof will send out a reply packet every second and only that. The drawback to this is when another device requests the MAC address for one of your targets your targets might cache this information and your ARP spoofing is broken for a second.
There are lots of other tools, one for windows is WinArpSpoof, Linux tools include Arpoison, and THC-parasite.

Detecting/Preventing ARP Spoofing:
We have several options on how to detect this type of attack. First you can manually set the MAC address so that when your computer receives an ARP packet it will ignore it. Manually setting is a pain but is probably the easiest method. You can add an static entry by typing 'arp -s IP address MAC address' in Windows or Linux.
You could also run a program by Irongeek called DecaffeinatID. What this program does is monitor’s your ARP cache and notifies you of any additions and any changes. If it detects an ARP spoofing attack it will alert you. DecaffeinatID is a windows based program.
Linux has several programs that you can use to detect ARP spoofing on your computer, one being ARPon. I couldn’t get this to work on my machine, but it says it does more then detection, it will prevent it from happening. You can also use Ettercap to detect ARP spoofing (both on Linux and Windows), and ARPWatch.
A few other solutions would be to encrypt all traffic on your network with IPSec or something similar. You could also implement DHCP spoofing; with it you can configure your switches to only allow certain MAC address to have access to the network, not the best solution because MAC address can be changed, but it added another layer of complexity. And finally install an IDS/IPS system like Snort.
If your network happens to have Cisco equipment you can turn on ARP Inspection. I don’t have a Cisco router so I can’t try it, but a good video tutorial can be found at
ARP spoofing is not a major problem with large companies, mainly because in order to perform this attack you must have physical access to their network, either via wired or wireless. It can be a problem with home users who have a laptop and bring it to their local coffee shop and surf the internet.