“Man in the Middle” Attacks Explained Through ARP Cache Poisoning

October 1, 2015 | Views: 13612

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In a “Man in the Middle” (MITM) attack, an attacker intercepts the communication between a client (victim, in this case) and a server. Interception of communication allows an attacker to read, insert and modify the data in the MITM attack. If the communication is not encrypted, then passwords can also be captured. Thus, an attacker is acting as a middle man between the client and the server.

In this post, I’m going to demonstrate how this attack works and how to prevent a MITM. But first, we’ll discuss how MITM works exaclty:


How does MITM work?
MITM includes variety of attacks like ARP cache poisoning, DNS spoofing, HTTP session hijacking and many others. We’ll discuss ARP cache poisoning in this article to explain MITM.

ARP stands for Address Resolution Protocol. ARP is used to map the IP address of a host, with its physical address or MAC address. ARP prepares an ARP table, which contains elements in the form of IP addresses and physical addresses.

This is what an ARP table looks like:

ARP Table

The main purpose of ARP is to locate the given host on the network, whose IP address and MAC address is known to ARP and is present in ARP table. ARP broadcasts a request to all the hosts on the network. If the if the required host in present in network, it will get a reply.


ARP Table


ARP is insecure, as any device can send an ARP reply packet to another host and force that host to update its ARP table or cache with the new value. Basically, an attacker takes advantage of this and poisons this ARP table to intercept the requests.
Suppose a victim requests for something on network with some default gateway. All information will pass through that gateway. An attacker can act as a default gateway for the victim, so that every request will go through him.

ARP Table


Next, we’ll perform this ARP cache poisoning. We’ll use a very famous tool called Cain and Abel. Cain and Abel has variety of features. You can download it from their official website.

We’ll be performing this attack on a Windows OS. Let’s open the tool and do some hacking.

ARP Table


First you need to configure Cain and Ablel. Press the configure button on top and choose an interface from this list. In my case, it’s showing two interfaces – one is for my local area network and another for the wireless network.

ARP Table


After that, go to the APR (ARP Poisoning Routing) tab and choose spoofed IP address and MAC address. You can also use your real IP address and MAC address.

ARP Table


Navigate to sniffer tab and activate the sniffer. Click on ‘+’ sign to import hosts.

ARP Table


Choose the first option and tick the box”All Tests.” Click OK.

ARP Table


It will add all the available hosts in your subnet.

ARP Table


Navigate to sniffer tab and press ‘+’ button. You can see all the hosts on the left-hand side. Click on first IP address and press OK. You can choose any IP address, as per your needs and situation.

ARP Table


Press the yellow button, on the right-side of the sniffer button. Cain and Abel will start poisoning the ARP cache or table.

ARP Table


Yeah !!! We’re are done with the attack. It’s time for us to see some useful information we’ve captured. Navigate to the passwords tab to see the captured passwords.

ARP Table


These are some digital certificates, which we’ve obtained.

ARP Table

That’s it. Now, let me tell you how to prevent MITM’s. But before that, remember, if more than one attacker is trying an ARP poisoning attack on the same network, then the network will choke and stop working.


Protection Against MITM
1) Thirds Party Tools
If you’re a network administrator, you can use some well-known third party tools to monitor your network traffic. It’s easy to identify which host is performing a MITM attack. The host with maximum requests is the attacker because every packet will pass through him.

2) Check ARP table
On Windows, you can check the ARP table by type following command on command prompt.

  arp -a

If the physical address column has same entries for each row, then someone is performing ARP poisoning.

ARP Defense


3) Use Encryption
One can use an encrypted channel like Secure Shell (SSH) to communicate over a network. Encryption provides a good security measure. Apart from that, you can also use a Virtual Private Network(VPN). There are so many free VPNs available on internet.


Best of luck and please contact me with any questions

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Do websites have any control in terms of forcing their post-handshake communication to be encrypted? In other words, is the only way to have encrypted traffic that cannot display passwords in plaintext to connect to a server via ssh? Or httpS?

    Thanks, great article!

  2. good piece!!!

  3. Nice job!

    I like the section “Protection agaist MITM”.
    Keep up the good work.

Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?