Friday, August 12, 2011

ARP Poisoning

?

- Difference between a switch and a hub
- What is ARP?
- What is ARP Poisoning?

Difference between a switch and a hub

If you have a network running with a hub, there is no need for ARP Poisoning to sniff the network. Because if you send information over a hubbed network, all computers will receive the data. The hub gets the information, and sends it out on all ports. But, on a switched network only the destination computer gets the data. That means that your sniffer won't pick up anything, unless it is for you. The switch uses an addressing system called Media Access Control (MAC). Every computer has a MAC address. The switch holds and maintains a table that associates MAC addresses with certain ports, so that the info will only be sent to the given MAC address. A computer can not communicate with another computer before it has it's MAC address, simple as that. This is where the Address Resolution Protocol (ARP) comes in.

What is ARP?

Address Resolution Protocol (ARP) is a method for finding a host's MAC address when only the IP is known. If a computer wants to communicate with another computer over a network it will first see if it already knows the MAC address, if not it will send out a an ARP request in order get it. An ARP request is one of four types of messages in ARP. But the two main types is ARP request and ARP reply, which I will be covering in this article. The ARP request contains the senders MAC address and IP, and it requests the MAC address of the given IP. The reason that it is holding the senders MAC and IP, is so that the receiver can update his ARP cache with this information too, before he sends the reply with his MAC. Did I hear you ask what an ARP cache is? It is a temporary storage place on your computer that associates IP addresses of other computers with MAC addresses.

What is ARP Poisoning?

Now, if you want to sniff the network, you have to get the traffic to go through you. One way to do this is ARP Poisoning. The weakness is: All computers will accept an ARP reply, even if there never where an ARP request. In other words, you can send a customized ARP reply to your target computers, which will update their ARP cache with a new MAC address - yours. So when a computer wants to send something to another computer, it will find it's MAC address in the ARP cache based on the IP - that MAC address is now your MAC address. So when it sends something to the MAC address, it sends it to you. But keep in mind, you have to send the packets on, or you will end up with a DoS. Another thing you have to think of, is that from time to time the ARP cache of a computer gets flushed, if there is no traffic. So you have to send a new customized ARP reply to the targets like every 10th second or so, but this can be done automatically.

Keep Rocking, Keep Hacking

No comments:

Post a Comment