MITM with ARP Poisoning

ARP poisoning is the technique of utilizing ARP’s flaws to distort the MAC-to-IP mappings of other network devices. When ARP was first developed in 1982, security was not a top priority, therefore the protocol’s authors did not include any authentication procedures to validate ARP messages. Every device that is connected to the network can respond to an ARP request, regardless of whether it was meant for it or not. If Computer A requests for Computer B’s MAC address, an intruder at Computer C can answer, and Computer A will regard the response as genuine. A number of exploits have been made feasible as a result of this error. A intruder can “poison” the ARP cache of other hosts on an internal network using readily accessible tools, filling the ARP cache with incorrect information.

Below are the basic steps of ARP poisoning, where the actual steps could vary according to the ARP poisoning attack:

Attacker chooses a target computer or computers — Finding a Target is the first stage in preparing and carrying out an ARP Poisoning attack. This might be a single network destination, a set of destinations, or a network object such as a router. A successful ARP Poisoning Attack against a router may interrupt traffic for a whole subnet, making routers as appealing targets.

Attacker begins the attack by launching tools — Someone attempting to carry out an ARP Poisoning attack has access to a wide range of tools. The attacker will commence the attack after running the tool with setting the necessary parameters. They can start broadcasting ARP messages right away or delay until a request arrives

The attacker misuses the wrongly Directed traffic — When the ARP cache on a target system or systems has been compromised, the attacker will usually do something with the traffic that has been routed wrongly. They may examine it, edit it, or “blackhole” it, causing it to never reach its ultimate targets. The specific course of action is determined by the attacker’s motivations.

An ARP Poisoning attack can take place in two different ways which attacker has two options firstly wait for ARP requests for a specific target and respond, or else send an unrequested broadcast message known as a gratuitous ARP. The initial method is less visible on the network, but it may have lesser consequences. A gratuitous ARP is perhaps more instant and affects a larger number of people, but it also produces a lot of network traffic. The damaged ARP caches on victim machines can be used for malicious purposes in either way.

MITM Attack

The most prevalent, and arguably most harmful, purpose of ARP poisoning is MITM attacks. The attacker sends out forged ARP packets for a certain IP address, which is usually the subnet’s primary gateway. As a result, victim PCs’ ARP caches are filled with the attacker’s MAC address rather than the MAC address of the local router. Victim systems will subsequently send network traffic to the attacker improperly. With tools such Ettercap, an attacker may operate as a proxy, seeing or altering data before transmitting it to its desired target. where everything may look normal to the victim. When ARP Poisoning is combined with DNS Poisoning, the efficacy of a MITM attack intensifies. In this case, a target user may enter in an actual website like google.com and be sent to the attacker’s computer’s IP address instead of the correct address.