Basic of ARP

4.3. Basic of ARP

ARP stands for Address Resolution Protocol and it is available and supported by all NICs and OS.

ARP has been developed to be a quick way to match Layer 3 network addresses (IP address) with Layer 2 addresses (MAC addresses).

The ARP protocol recognizes 2 types of ARP packets : ARP requests and ARP replies.

ARP works in conjunction with an ARP table, which stores the IP-MAC pairs and a time to live value related to each entry.

Each node maintains its own table (IP-MAC). Of you want to check your ARP table you can use the following command: ``` C:\Users\els>arp -a

Interface: 192.168.102.149 ---0xb
  Internet Address        Physical Address      Type
  192.168.102.2           00-50-56-ef-66-cf     dynamic
  192.168.102.255         ff-ff-ff-ff-ff-ff     static
  255.255.255.255         ff-ff-ff-ff-ff-ff     static

stduser@els:~$ arp
Address             HWtype   HWaddress            Flags   Mask  Iface
192.168.102.2       ether    00:50:56:ef:66:cf    C             eth0
192.168.102.254     ether    00:50:56:e1:65:94    C             eth0
```

The following example will shed some light on ARP tables: When host A creates a packet destined to host B, before it is delivered to its destination (B), A searches into its ARP table.

- If the *B*'s layer 3 address is found in the table (meaning the IP_B), the correspondent MAC address (MAC_B) is inserted as the Layer 2 destination address into the protocol frame.

- If the entry is not found (You can view this processes using Wireshark)<br>
 1. An ARP request is sent on the LAN <br>
   The request contains the following values in the destination fields of the IP-Ethernet packets:
    - Source IP Address: IP_A
    - Source MAC Address: MAC_A
    - Destination IP Address: IP_B
    - Destination MAC Address: FF:FF:FF:FF:FF:FF (this indicates a broadcast message)

    The 48 bit MAC Address used as the destination is the Layer 2 broadcast address:
    the ARP Request reaches all the nodes in the broadcast domain.

    The nodes whose IP address does not match with the destination IP_B will just drop the packet.

  2. The nodes whose IP address matches IP_B, will respond with an ARP Reply to the sender
    This is the information that the reply will contain:
      - Destination MAC : MAC_A
      - Destination IP address : IP_A
      - Source IP address : IP_B
      - Source MAC : MAC_B

    At this point host A has the information it was looking for: MAC_B

    It can add this information to the frame and forward the message to the correct node. It will also be inserted in its MAC table for later use.

The following list summarizes when ARP is used:

• A host desires to send a packet to another host in the same network

• A host desires to reach another host beyond his local network and needs the gateway hardware address

• A router needs to forward a packet for one host through another router

• A router needs to forward a packet to the destination host on the same network

4.3.1. Gratuitous ARP

This is how ARP works if one of the host in the network asks for it. For our attacking purposes it is also very important to know that this is not the only way. The so-called gratuitous ARP requests and responses are also possible:

• Gratuitous ARP request it is a request packet where source and destination IP are set with the IP of the machine that is issuing the packet and the destination MAC is the broadcast address

• Gratuitous ARP reply it is an ARP reply that has been sent without being requested

Although they may be useful to detect IP conflict or simply inform other hosts/switches of a MAC address in the network, attacker can use these packets to mount ARP poisoning attacks

4.3.2. ARP Poisoning

ARP poisoning is performed by poisoning the cache of other hosts in the network. We have 2 main ways to mount this type of attack:

• Host Poisoning In the first scenario, the attacker will create a Man-in-the-Middle configuration between 2 hosts, transferring data between them.

  PC M (attacker) would forge Gratuitous ARP reply packets and send them to both the communication peers.

  All the traffic from B to A and from A to B will pass through M. M must be able to forward the packets quickly to keep the system administrator from suspecting anything.

• Gateway Poisoning The second scenario is one-way: The machine that is going to sniff traffic in the network will send Gratuitous ARP Replys to some or all the hosts in a network, announcing his MAC address as the MAC address of the default gateway of the network.

  Once again, this is achieved by forging an ARP Reply containing a fake IP to MAC correspondence.

  With this kind of redirection M (attacker) can get all the data with a foreign destination address and pass it to the real gateway. M should be able to process a big amount of packets each second.

  Unintentional DoS can occur in the network if M is too slow forwarding the packets.

  Now that we have a good overview of how an attacker can mount an ARP poisoning attack, let us see which tools we can use to intercept and analyze network traffic.