Understanding and Launching an ARP Cache Poisoning Attack
This is a report based on the SEED Labs ARP_ATTACK Lab - Link
Background
This lab focuses on the ARP (Address Resolution Protocol) which is a foundational part of network communication. ARP is used for discovering the link layer address and translates IP addresses into MAC addresses.
ARP is a simple protocol designed without any authentication or validation leaving it exposed to attacks such as the ARP Cache Poisoning Attacks covered in this report.
Outcomes
- Gain a deep understanding of the ARP Protocol
- Launch a Man-In-The-Middle Attack between two systems
- Expand packet sniffing and spoofing skills
Enviroment
The Lab environment contains 3 machines A, M, and B, with M acting as the attacker's machine
- Host A (Victim 1): 10.9.0.5
- Host B (Victim 2/Server): 10.9.0.6
- Host M (Attacker/MITM): 10.9.0.105

The objective for Host M is to insert false ARP entries into the caches of both A and B, convincing them that the other machine's IP address belongs to M's MAC address. This redirects all traffic through the attacker.
Task 1: ARP Cache Poisoning
To poison the ARP Cache we will be using the Python 'Scapy' library to construct, send, and intercept packets.
The construction of the ARP Packet is:
- The Hardware Type (HTYPE)
- Protocol Type (PTYPE)
- Hardware Length (HLEN)
- Protocol Length (PLEN)
- Operation (OPER)
- Sender Hardware Address (SHA)
- Sender Protocol Address (SPA)
- Target Hardware Address (THA)
- Target Protocol Address (TPA)
We will implement 3 different methods to perform this attack
1. ARP Request Spoofing
An ARP request asks the target (Host A) to respond to a question. To poison A's cache, we craft a malicious request on Host M:
- On host M, we can construct and ARP request packet to map B's IP address to M's MAC address.
- We need to identify each machines IP&MAC address.
- Machine A IP-10.0.0.5 MAC-02:42:0a:09:00:05
- Machine M IP-10.9.0.105 MAC-02:42:0a:09:00:69
- Machine B IP-10.9.0.6 MAC-02:42:0a:09:00:06
- Constructing the ARP packet
- Ether
- dst - Machine A MAC
- src - Machine M MAC
- ARP
- hwsrc = Machine M MAC
- hwdst = Machine A MAC
- psrc = Machine B IP
- pdst = Machine A IP
- After sending the request from Machine M we can observe on Machine A that the ARP cache is routing Machine B's IP address to the MAC address of Machine M
- Ether


2. ARP Reply Spoofing
This method involves sending an unsolisited ARP reply. it is generally more effective because it provides the target with a direct answer without asking a question.
- The code for this task is the same, however, we change the OP code to 2 for a reply.
- We can now observe the cache entry for B's IP address is mapped to M's MAC Address

3. ARP Gratuitous Message
This method is the most aggressive as the Gratuitous ARP request used to broadcast updates about a machines own location.
- We use the same code as before, however, we set both destination addresses to 'ff:ff:ff:ff:ff:ff'

Task 2: MITM Attack on Telnet using ARP Cache Poisoning
With the basic poisoning mechanism in place we can now escalate to a full Man-In-The-Middle attack compromising a Telnet connection between Machine A and B.
The network layout for this example is:

Step 1: Double Poisoning
Using the same code as above poison both A&B's ARP cache to point their respective MAC Address to machine M's MAC Address


Step 2: MITM Payload
For this lab I created a simple script to intercept the packets traveling between machine A&B. This example replaces every character sent by machine A with 'Z' in the Telnet Session.

Step 3: Launching the MITM Attack
With the poisoning complete all traffic from machine A & B are being routed to machine M, however, we still need machine A & B to communicate with each other.
- First we enable IP Forwarding by ruining the command: 'sysctl net.ipv4.ip_forward=1'
- Then we start the telnet session between machine A & B
- We then start the script above and disable IP Forwarding
- After starting the spoofing application and trying to log into machine B, we can see all the characters are modified into 'Z' stopping us from logging in

Conclusion
The ARP Cache Poisoning attack is a threat on any local network due to the inherent trust model of the ARP protocol. This lab demonstrates how an attacker, with a simple python script, can:
- Exploit the lack of authentication in ARP.
- Redirect all traffic between two machines to an attackers machine
- Modify packets on the fly
Gabriel Hawkins