ARP Poisoning Theory
Lecture Transcript - ARP Poisoning Theory
Now, in this lecture and the next few lectures, I want to start talking about mine in the middle attacks.
These are attacks that we can launch only if we are able to intercept the communication between two
devices, hence the name man in the middle attacks.
So a normal communication would look like this, where the device is directly communicating with the
entity that they want to communicate with in Amman in the middle attack, the hacker would be able to
place themselves in the middle of the connection, allowing them to intercept and see anything that
is being transferred between the two devices.
Now, there are a number of ways to achieve this.
The first method that will cover in this course is using an AARP spoofing attack.
AARP spoofing allow us to redirect the flow of packet's, so instead of it flowing as shown in this
diagram, it would flow through my own computer.
So any requests sent and any responses received by the target computer will have to flow through the
hacker computer.
This means that any messages and websites and images and usernames and passwords entered by the target
will have to flow through my computer.
This allows me to read this information, modify it or drop it.
So as you can see, this is a very serious and very powerful attack.
And the reason why it is possible is because AARP is not very secure.
Now, for us to understand how this works, you need to have a basic understanding of what AARP is.
AARP stands for address resolution protocol, and it's a very simple protocol that allow us to link
IP addresses to Mac addresses.
So, for example, let's say we have a network here, we have devices, ABC, and they're all connected
to the same network.
And we have the router here for this network.
We can see that each device has an IP and a MAC address.
And let's assume that device A needs to communicate with device.
See, now we're also going to assume that Device A knows the IP of device C, but as we know so far,
in order for these devices to communicate within the same network device, A needs to know the address
of devices, because like we said before, the Communication Inside Network is carried out using the
Mac address and not using the IP address.
So this is a perfectly normal situation where we have a client that needs to know the Mac address of
another client so that it can communicate with this client.
So what this client does, it uses the AARP protocol.
What do I mean by that?
Basically, it sends a broadcast message.
So it sends an AARP request to all the clients on the network saying who has 10 zero to six?
Now, all of these devices will ignore this packet except the one that has this IP address, which is
10 zero to six, which is the Visi.
So all devices will not do anything.
And the only device that will respond is device C, sending an AARP response.
And this response device is going to say, I have 10 026.
My Mac address is this Mac address.
This way, Device A will have the Mac address of devices, and now it will be able to communicate with
devices and do whatever task that it wanted to do initially.
So all of this communication is facilitated using the AARP protocol.
Like I said, they are protocol is a very simple protocol.
As you can see, all it has is requests and responses.
And the whole point of it is so that we can link IP addresses to MAC addresses or translate IP addresses
to Mac addresses so a device can send the request asking for a Mac address and then the device that
has the Mac address would respond with its Mac address.
So each computer have an IRP table which links IP addresses on the same network to their Mac addresses.
So if I go on the candy machine and do IRP a, you can see my IRP table here.
And as you can see, it's linking the routers IP to the rafters MAC address.
Now, same if I go to the Windows machine and run my ACMD.
And do IRP a you'll see again its link in the rafters IP to its MAC address, so this machine, any
time it needs to send any request to the Internet, it will direct that request to this Mac address
to the Mac address that's associated with the IP of the router, which is 10 zero to one.
Now, this value in here can be easily modified by exploiting the AARP protocol.
So let me go back to my diagrams, and right here we have a diagram of a typical network, and you can
see that normally any device that's connected to the network, if it wants to send the requests, it
will send them to the router.
The writer will go and send that request to the Internet, wait for the response and then forward the
response to the device that requested it.
So if the hacker or the victim or any other computer on the network wanted to send the request, they
will send that request directly to the router.
Now, what we can do is we can exploit the AARP protocol and send to AARP responses one to the gateway
and one to the victim.
We're going to tell the gateway that I am at the IP of the victim.
So the access point will update its AARP table and it will associate the IP of the target.
With my Mac address, we will do the same with the victim.
So we'll send it an AARP response.
We're going to tell it that I'm a 10 zero to one.
So it's going to update its AARP table and associate the IP of 10 zero to one with my own Mac address.
So the result of this, the victim is going to think that I am the writer and the writer is going to
think that I am the victim.
So any time the victim wants to send any requests, the requests will have to flow through my computer
and I'm going to forward them to thereafter.
And then any time the access point or the router wants to send responses, they're going to go to my
machine because it thinks that I am the victim and then I'm going to forward it to the victim.
So as you can see, this puts me in the middle of the connection and it gives me so much power and we'll
see all the things that we can do once we become the man in the middle.
Now, the main reason why we can do all of this is because AARP is not secure, because first of all,
clients can accept responses even if they did not send the request.
So, as I said before, we're going to send a response to the access point and a response to the victim
telling them that I am at a specific IP without them asking who am I or without them asking for this
IP.
I'm just going to send a response and they're going to accept that response anyway.
Not only that, but they're also not going to verify who I am.
So when I say that I am a 10 zero two seven, I am clearly not at that IP because this computer is at
this IP.
But the access point will trust this and it will actually update its AARP table based on the information
that I sent.
Same goes to the victim.
I'm going to tell it that I am at 10 zero to one, it's going to trust and believe this, even though
I am clearly not at this IP, because the access point is at this IP.
So these are the two main weaknesses with AARP protocol that allow us to run AARP spoofing attacks.