“Man in the Middle” Attacks Explained Through ARP Cache Poisoning
Ready to Start Your Career?

“Man in the Middle” Attacks Explained Through ARP Cache Poisoning

Anon.D s profile image
By: Anon.D
October 1, 2015
“Man in the Middle” Attacks Explained Through ARP Cache Poisoning - CybraryIn a "Man in the Middle" (MITM) attack, an attacker intercepts the communication between a client (victim, in this case) and a server. Interception of communication allows an attacker to read, insert and modify the data in the MITM attack. If the communication is not encrypted, then passwords can also be captured. Thus, an attacker is acting as a middle man between the client and the server.In this post, I'm going to demonstrate how this attack works and how to prevent a MITM. But first, we’ll discuss how MITM works exaclty: How does MITM work?MITM includes variety of attacks like ARP cache poisoning, DNS spoofing, HTTP session hijacking and many others. We'll discuss ARP cache poisoning in this article to explain MITM.ARP stands for Address Resolution Protocol. ARP is used to map the IP address of a host, with its physical address or MAC address. ARP prepares an ARP table, which contains elements in the form of IP addresses and physical addresses.This is what an ARP table looks like:ARP TableThe main purpose of ARP is to locate the given host on the network, whose IP address and MAC address is known to ARP and is present in ARP table. ARP broadcasts a request to all the hosts on the network. If the if the required host in present in network, it will get a reply. ARP Table ARP is insecure, as any device can send an ARP reply packet to another host and force that host to update its ARP table or cache with the new value. Basically, an attacker takes advantage of this and poisons this ARP table to intercept the requests.Suppose a victim requests for something on network with some default gateway. All information will pass through that gateway. An attacker can act as a default gateway for the victim, so that every request will go through him.ARP Table Next, we'll perform this ARP cache poisoning. We'll use a very famous tool called Cain and Abel. Cain and Abel has variety of features. You can download it from their official website.We'll be performing this attack on a Windows OS. Let's open the tool and do some hacking.ARP Table First you need to configure Cain and Ablel. Press the configure button on top and choose an interface from this list. In my case, it's showing two interfaces - one is for my local area network and another for the wireless network.ARP Table After that, go to the APR (ARP Poisoning Routing) tab and choose spoofed IP address and MAC address. You can also use your real IP address and MAC address.ARP Table Navigate to sniffer tab and activate the sniffer. Click on '+' sign to import hosts.ARP Table Choose the first option and tick the box"All Tests." Click OK.ARP Table It will add all the available hosts in your subnet.ARP Table Navigate to sniffer tab and press '+' button. You can see all the hosts on the left-hand side. Click on first IP address and press OK. You can choose any IP address, as per your needs and situation.ARP Table Press the yellow button, on the right-side of the sniffer button. Cain and Abel will start poisoning the ARP cache or table.ARP Table Yeah !!! We're are done with the attack. It's time for us to see some useful information we've captured. Navigate to the passwords tab to see the captured passwords.ARP Table These are some digital certificates, which we've obtained.ARP TableThat's it. Now, let me tell you how to prevent MITM's. But before that, remember, if more than one attacker is trying an ARP poisoning attack on the same network, then the network will choke and stop working. Protection Against MITM1) Thirds Party ToolsIf you're a network administrator, you can use some well-known third party tools to monitor your network traffic. It's easy to identify which host is performing a MITM attack. The host with maximum requests is the attacker because every packet will pass through him.2) Check ARP tableOn Windows, you can check the ARP table by type following command on command prompt.
  arp -a

If the physical address column has same entries for each row, then someone is performing ARP poisoning.

ARP Defense 3) Use EncryptionOne can use an encrypted channel like Secure Shell (SSH) to communicate over a network. Encryption provides a good security measure. Apart from that, you can also use a Virtual Private Network(VPN). There are so many free VPNs available on internet. Best of luck and please contact me with any questions
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry