Address Resolution Protocol Poisoning and Detection using Cain & Abel and XArp
What is Address Resolution Protocol (ARP)?
In order for a packet to be sent across a network, the source host needs to identify the intended receiving host. An Internet Protocol (IP) address is a string of unique numbers that are assigned to hosts on a network. A Media Access Control (MAC) address is a unique identifier assigned to a device’s network interface card by the device manufacturer. Address Resolution Protocol (ARP) is able to link an IP address to a MAC address. More specifically, ARP is a Network Layer protocol that maps an IP address to a MAC address.
ARP resolves the name of an IP address and translates it into a MAC address.
The ARP is between layer 3 (Network) address and layer 2 (Data Link) of the Open Systems Interconnection Model (OSI). This means that the Internet protocol for the physical device’s address (MAC Address) that is used by the Data Link Layer. Packets are sent to the router’s gateway if the destination host is part of another network.
A host sends an ARP request to other hosts on the network. Host with matching IP responds to request; all other hosts discard ARP request. The original host receives ARP reply and updates ARP table. If the target host is known, then host initializing session just refers to ARP table.
What is Arp Poisoning?
ARP poisoning is when attackers exploit ARP security issues. ARP request/response is trusted and does not require authentication. An attacker could send a request asking “who is 192.168.1.1”, then target responds with “I am 192.168.1.1 Here is my MAC Address” This information later gets remembered and updates it in the ARP cache. This way the request does not have to be made over and over again. This security flaw allows Arp Poisoning to be easily performed.
Performing ARP Poisoning
To initiate an ARP poisoning is fairly easy and can be done by many programs. One that is being mentioned is Cain and Abel.
By ARP poisoning a target device, an attacker can perform many attacks such as Denial of Service (DoS), session hijacking, and Man in the Middle Attacks (MITM). Cain and Abel is a Windows-based password recovery tool. Cain and Abel have many features that can allow Network Sniffing and Hijacking of IP traffic between hosts. Many other features include network sn, Hash calculator, Certificate collector, Record VoIP conversations, and ARP poisoning.
Using Cain and Abel
In order to use Cain and Abel, it needs to be installed on a Windows host that is also connected to a network. After it is installed, you need to specify the network adapter that Cain and Abel will sniff.
After you specify the network adapter, you need to perform a scan so that you can identify a list of hosts connected to the network. Here you can select if you want to scan your entire subnet or you can specify to only scan a specific range within your subnet.
The IPv4 address on a Windows host can be displayed with a simple ipconfig command.
After identifying the target device, we now need to specify the second host, usually a router, that will be communicating with the target device. This can be performed by adding both devices to the ARP Poison Routing “pool” as pictured in Figure 1.7. We can now perform ARP spoofing.
The IP address column in the lower half of the window on towards the right side shows the different outbound connections made to the Internet.
Since Cain and Abel is sniffing the network, including the target device, any usernames or passwords entered into unencrypted HTTP websites can be intercepted as cleartext. You can directly launch the website by clicking on the URL.
Protecting yourself from ARP Poisoning
ARP poisoning can easily be performed but protection can be just as easy. Knowing information about the Address Resolution Protocol can help defend users against attacks.
- Static ARP Entries: Static ARP entries can add an extra layer of defense from ARP poisoning. By adding, it is essentially a communication link between devices. As stated above; A communication session with a host, A device sends an ARP request but with a Static entry It knows the target host’s MAC address. Essentially, eliminating the process of sending an ARP request.
- No MAC Address: We learned that ARP request is IP address to MAC address (IP-to-MAC). If users were to use tools to sniff packets and to find a ARP request without a MAC address. Then it is highly suspicious.
- Keeping track of IP-to-MAC: ARP request and ARP replies involves IP-to-MAC. By keeping track of your device’s communication sessions of IP-to-MAC. New IP-to-MAC can cause suspicion.
- Tools vs Tools: Many software tools are out there to help protect users from malicious attacks. There are many ARP poisoning tools like AntiARP, ARPon, ArpStar but our mentioned security tool is XARP.
XARP is security tool users can download and use. XARP performs ARP poisoning detection to detect, Notify and respond to ARP poisoning. This tool allows users to have multiple added layers of passive and active defense against ARP Poisoning. A Free Version of Xarp can be downloaded but a paid version is available. The free version of XARP has several Modules that have specific functions. If those conditions are violated they will generate a notification for the User. A description of the modules is provided by XARP.
“ChangeFilter: Module keeps tracks of IP-to-Mac Adress mapping. Every ARP Packet contains a mapping of IP-to-MAC addresses. ARP request contains the IP-to-MAC mapping of the sender. ARP replies to contain the IP-to-MAC mapping of the machine resolved. Every mapping is inserted into a database. If a mapping is monitored that break current mapping, an alert is generated. Using Network discoverers, the database is filled quickly and more reliably than without network discoverers.
CorruptFilter: ARP packets have a special restriction. Ethernet Source Mac Address has to match the ARP source MAC address. Furthermore, there are a field in the ARP packet that has restrictions regarding the values they can adopt. This module checks these values correctness. ProxyARP servers will generate false alerts because they answer ARP request for other machines and thus not contain the saim ethernet source MAC address and ARP mapping source MAC.
DirectRequestFilter: ARP request needs to be sent to the broadcast MAC address. Some DSL Routers want to know which machines are currently online for their web management interface. Therefore they send out ARP requests which have the specific MAC address entered in the Ethernet packet. Such packets are also used by ARP spoofing software to spoof only a specific machine and not all machines on a network.
IPFilter: An ARP mappings may contain certain IP addresses. These include broadcast and multicast as well as localhost addresses.
MACFIlter: Some MAC addresses in ARP packets are highly suspicious. No IP-to-MAC mapping should, for example, have the MAC broadcast address assigned. Furthermore, an ARP reply is suspicious if it maps to one IP addresses to the local machines MAC address. Such Alert might also get generated when you are running a virtual machine. Replies arrive at your real machine with ARP replies containing your MAC address as the sender.
RequestedResponseFilter: ARP replies should normally follow ARP requests. This filter remembers all ARP requests originating and matches them to an ARP replies. Many ARP spoofing tools send ARP replies that are not requested. This filter might give false positive in some cases as machines want to distribute their IP-to-MAC mapping to other machines that did not request it.
StaticPreserveFilter: This filter will periodically request local ARP cache and remember to IP-to-MAC mappings that you are static. If an ARP packet violates this static mapping an alert will be generated. If a mapping from an ARP packet tries to collide with a static mapping, someone is trying to spoof your machine.
SubnetFilter: Every ARP packet IP addresses need to be in the same subnet. An ARP packet with IP addresses that are not in the network interfaces configured subnet are suspicious and will be alerted.”
