What is ARP? | Address Resolution Protocol (ARP) — ExploitByte

What is ARP? — Address Resolution Protocol (ARP) is a TCP/IP protocol that maps IP network addresses to the addresses (hardware addresses) used by a data link protocol. It operates as the interface between the OSI network layer and OSI Data link layer and is located below the network layer.

An Ethernet network makes use of two hardware addresses that find the source and destination of each frame that Ethernet sends. The destination address can identify a broadcast packet, which will be sent to all connected computers. The hardware address is also known as the Media Access Control (MAC) address.

All computer network interface cards are given a globally unique 6-byte MAC address. A computer uses this MAC address when sending all the packets it creates. The Ethernet address is a link-layer address and relies on the interface card that is used. TCP/IP, operating at the network layer, is not concerned with the link-layer addresses of individual nodes. ARP is, therefore, used to translate between link-layer (MAC) and network-layer (IP) types of addresses

To reduce the number of address resolution requests, the client normally caches resolved addresses for a short period of time. The ARP cache should be flushed of all entries from time to time. Doing so deletes all unused entries.

ARP Poisoning

If a machine sends an ARP request, it normally considers that the ARP reply comes from the right machine. ARP provides no means to verify the authenticity of the responding device. In fact, many operating systems implement ARP so trustingly that devices that have not made an ARP request still accept ARP replies from other devices.

An attacker can craft a malicious ARP reply that contains arbitrary IP and MAC addresses. Since the victim’s computer blindly accepts the ARP entry into its ARP table, an attacker can force the victim’s computer into thinking that any IP is related to the MAC address the victim wants. An attacker can then broadcast his or her fake ARP reply to the victim’s entire network.

An attacker may abuse ARP poisoning for capturing the packets between two systems in a network. For example, the attacker may want to see all the traffic between the victim’s computer, 192.168.1.21, and the Internet router, 192.168.1.25. The attacker begins by sending a malicious ARP reply (for which there was no previous request) to the router, associating his or her computer’s MAC address with 192.168.1.21. The router confuses the attacker’s computer with the victim’s computer.

Then, the attacker sends a malicious ARP reply to the computer, associating his or her MAC address with 192.168.1.25. The victim’s machine thinks the attacker’s computer is the router. Finally, the attacker enables the operating system feature called IP forwarding to forward any network traffic it receives from the victim’s computer to the router. Now, when the victim is online, the system forwards the network traffic to the attacker’s system, and from there it transfers to the real router. Since the attacker is still forwarding traffic to the Internet router, the victim remains unaware that the attacker is intercepting the network traffic and perhaps sniffing clear-text passwords.

ARP Poisioning Tool: Cain and Abel

Cain and Abel is a password recovery tool for Microsoft operating systems. It uses packet sniffing, cryptanalysis, ARP poisoning, and other techniques to obtain passwords. It takes advantage of security weaknesses that exist in protocols, authentication methods, and caching mechanisms. Cain and Abel can sniff and analyze encrypted protocols, such as SSH and HTTPS.

Steps to Perform ARP Poisoning Using Cain and Abel :-

1. Load Cain and Abel, and click the Sniffer tab.
2. Click the Start/Stop ARP icon that starts the ARP poison routing process and also enables the built-in sniffer.
3. If prompted, select the network adapter in the window that displays and click OK.
4. Click the blue icon to add hosts on which to perform ARPs poisoning.
5. In the MAC Address Scanner window, ensure that the All Hosts in My Subnet option is selected and click OK.
6. Click the ARPs tab (the one with the yellow-and-black circle icon) at the bottom to load the ARPs page.
7. Click the white space under the uppermost Status column heading to reenable the blue icon.
8. Click the blue icon. The New ARPs Poison Routing window comes up, showing the hosts discovered in Step 3.
9. Select the default route.
10. Ctrlclick all the hosts in the right column that you want to poison.
11. Click OK. The ARPs poisoning process starts.
12. Use Cain and Abel’s built-in password feature to capture passwords traversing the network to and from various hosts simply by clicking the Passwords tab at the bottom of the screen.

I hope you get useful information there if you think anything to improve in this article you can comment below or if you need any help we will help you soon. If you are interested to learn hacking you can check here.

Originally published at https://exploitbyte.com on May 13, 2020.