ARP Poisoning

What is ARP

ARP stands for Address Resolution Protocol and is basically the protocol used to translated MAC addresses to IP addresses. This protocol is used in local network so that packets are sent to the right machine.

image

ARP Poisoning

Let’s say Alice and Bob want to talk to each other on a network, but Mathew wants to intercept their communication.

  1. Mathew sends a gratuitous ARP response to Alice saying that the IP address of Bob resolves to the MAC address of Mathew
  2. Mathew sends a gratuitous ARP response to Bob saying that the IP address of Alice resolves to the MAC address of Mathew
  3. Alice wants to send a message to Bob
    1. Alice looks at her ARP Cache and sees that the Bob’s IP address resolves to Mathew’s MAC address
    2. Alice sends her message to Mathew’s MAC address
  4. Mathew receives Alice’s message and sends it to Bob

This same attack can be done, this time between a network Gateway and the other hosts on the network. This way, we can intercept all messages sent to and received from outside the local network.

This attack can be performed, either via Ettercap which a GUI or via Bettercap, a CLI tool.

Enable IP forwarding:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Start the ARP poisoning attack:

sudo bettercap -I $INTERFACE -X -P "*"

Note that this command will intercept all of the traffic on the network.

At this point, you should be able to read the traffic using Wireshark or Tcpdump.