✔️ Perform man-in-the-middle attack

✔️ Mount advanced attacks

✔️ Sniff traffic on a switched network

✴️ What is ARP Poisoning?

powerful attack used to intercept traffic on a switched network.

Recap:

to send an IP packet the host needs to know MAC address of the next hop either:

Visualizing ARP:

The address received is stored in the ARP cache table.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a4ef6dc1-b5a3-4653-814c-830920224814/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4c2e31d5-e6cb-41a2-8d7f-7827e24f77c4/Untitled.png

What is the ARP Cache Table?

After the MAC Address resolution is complete, hosts save the destination address in their ARP cache table.

ARP Poisoning:

finding a way to manipulate other's ARP cache tables so that we receive traffic (that was destined to some other IP address)

IMPORTANT: as long as the MAC address is available in one victim's ARP cache table, it doesn't need to run ARP to reach any other victim.

What does a Man in the Middle Attack look like?

after manipulating the ARP cache tables of two parties involved in a communication,

we will be able to sniff the whole communication!

How is a MITM attack carried out?

mainly by sending gratuitous ARP replies.

Who all are involved in an ARP poisoning attack?

  1. 🙆🏾‍♂️Two network nodes (client, server, router, printer,...)🙆🏾‍♂️
  2. attacker! 🕵🏽

See how the attack works...

📨 Gratuitous ARP Replies

We know we want to manipulate other hosts' ARP cache tables

How can we do that?

with the help of Gratuitous ARP replies

What is a gratuitous ARP reply?? 🤔

unsolicited ARP reply messages

basically, we will send the victim and ARP reply message without waiting for a request

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4a3237e4-2516-423d-b0bc-6c42d3c2a354/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/d47765e1-ad8f-4617-b3a5-b13b0e214b83/Untitled.png