ARP
2019-12-18


ARP stands for Address Resolution Protocol. It's purpose is to resolve IP addresses in local networks (LAN) to MAC addresses used for direct communication. Every network card has a unique MAC address, so it's convenient to know which hardware you are supposed to communicate with, when you're addressing some IP.

It's analogous to DNS, but on a lower level. DNS resolves domain names to IP addresses - it works both in LAN and in the Wild Internet. ARP resolves IP addresses to MAC addresses, but from what I know it is used in LAN only. It doesn't make much sense to use MAC addresses outside of LAN, because you can't access hardware that is not in the range of your antenna. Therefore IP's usually suffice.

If we want to mess with our LAN, it makes sense to mess with MAC addresses too. Computers usually resolve IP's on LAN by first looking through their local ARP table. If the target is not found, they send an ARP request to the broadcast address that looks somewhat like "Who has 192.168.50.69? Tell 192.168.50.143". Every computer on the network is subscribed to the broadcast, so then the holder of the IP would respond to us directly: "192.168.50.69 is at [MAC addr]". This is all we need to know to start a communication.

This is also how scanning for IP's on LAN works. <a href="https://imgur.com/zSdfMG8">[scr-1]</a>
$ nmap -sP 192.168.1.1/24
When you issue this command, nmap floods your network with ARP requests for every possible IP in your specified range. Sooner or later someone will respond. Blocking ARP requests usually breaks TCP/IP connection, so there's a high chance victim machine would reply.

Let's see if we can somehow manipulate ARP. For that purpose we will use <a href="https://sectools.org/tool/dsniff/">dsniff</a>, which includes tools like arpspoof or dnsspoof. To demonstrate how this works I've MITM'ed my friend's laptop. <a href="https://imgur.com/VizDqmY">[pht-1]</a>
First we need to know the IP of our victim and our gateway.
$ ip a show dev wlp2s0
or on windows simply:
> ipconfig
We are on the same network, so we can execute the attack. <a href="https://imgur.com/PKuCvvf">[scr-2]</a>
$ arpspoof -i wlp2s0 -t 10.14.75.17 -r 10.14.72.1
Where 10.14.75.17 is my friend's IP and 10.14.72.1 is the gateway.

It seems to work. The gateway thinks we are the victim computer and victim treats our computer as the gateway. We've fooled them. The connection now goes from the victim computer to our machine instead of the real gateway. This is called a man-in-the-middle (MITM) attack, because our machine is now in the middle of the connection between victim and the internet. The technique used is known as ARP spoofing or ARP poisoning, because we've spoofed some ARP requests to poison the ARP table of victim and gateway, and redirect their traffic through our machine.
Here's a nice graph to visualise how the connection looks like during the attack: <a href="https://commons.wikimedia.org/wiki/File:ARP_Spoofing.svg">https://commons.wikimedia.org/wiki/File:ARP_Spoofing.svg</a>

For the sake of demonstration let's set up a simple website.
$ vim index.html
$ python2 -m SimpleHTTPServer 80

And spoof DNS, so that example.com will point to our IP address.
$ echo "10.14.75.206\texample.com" >> hosts
$ dnsspoof -i wlp2s0 -f hosts

Now when we go to example.com from the victim computer, we ask our gateway what is the IP of example.com. We are the gateway, so we repond with our own IP address. The victim goes to our IP instead of the real one and sees our website.

As you can see, arpspoof attack is really powerfull. In the MITM scenario we can sniff and manipulate victim's traffic however we want. Hopefully you now understand the principle of how this attacks work. 

This post was sponsored by <a href="https://codein.withgoogle.com/">Google Code-in</a> (jk). <a href="https://imgur.com/a/2KHVZAA">Screenshots</a> were requested as a part of my task.