Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
2Activity
×
0 of .
Results for:
No results containing your search query
P. 1
ARP Cache Poisoning Attack and Detection9

ARP Cache Poisoning Attack and Detection9

Ratings: (0)|Views: 1,290|Likes:
Published by ijcsis
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012

http://sites.google.com/site/ijcsis/
ISSN 1947-5500

More info:

Published by: ijcsis on Aug 19, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less

08/10/2013

pdf

text

original

 
1
 ARP Cache Poisoning Attack and  Detection
Fatimah mohammed Al-Qarni07120229Computer Science and EngineeringYanbu University Collegefatimah.mail@hotmail.com 
1.
 
Introduction
 
One of the most prevalent network attacks usedagainst individuals and large organizationsalike are man-in-the-middle (MITM) attacks.Considered an active eavesdropping attack,MITM works by establishing connections tovictim machines and relaying messagesbetween them. In cases like these, one victimbelieves it is communicating directly withanother victim, when in reality thecommunication flows through the hostperforming the attack. The end result is that theattacking host can not only intercept sensitivedata, but can also inject and manipulate a datastream to gain further control of its victims
[1
].The address resolution protocol (ARP) is aTCP/IP protocol used by computers to mapnetwork addresses (IP) to physical addresses(MAC). The protocol has proved to work wellunder regular circumstances, but it was notdesigned to cope with malicious hosts. Byperforming ARP cache poisoning or ARPspoofing attacks, an intruder can impersonateanother host MITM.The paper is organized as follows: In firstsection, we give a detailed description of ARPcache poisoning. Then, we show how ARPcache poisoning attack can be conducted usingCain and Abel, how password stealing andphishing can be conducted through ARP cachepoisoning, how XArp is used to detect ARPcache poisoning attack, and how ARP Freeze isused to prevent ARP cache poisoning attack.Finally, we conclude.
2.
 
ARP Cache Poisoning
In the first section of this paper we will take alook at ARP cache poisoning. One of the oldestforms of modern MITM attack, ARP cachepoisoning (sometimes also known as ARPPoison Routing) allows an attacker on the samesubnet as its victims to eavesdrop on allnetwork traffic between the victims. It is one of the simplest to execute but is considered one of the most effective once implemented byattackers [2].
2.1. Normal ARP Communication
The ARP protocol was designed out of necessity to facilitate the translation of addresses between the second and third layersof the OSI model. The second layer, or data-link layer, uses MAC addresses so thathardware devices can communicate to eachother directly on a small scale. The third layer,or network layer, uses IP addresses (mostcommonly) to create large scalable networksthat can communicate across the globe. Thedata link layer deals directly with devicesconnected together where as the network layerdeals with devices that are directly connectedAND indirectly connected. Each layer has its
nernaona ourna o ompuer cence an normaon ecury,Vol. 10, No. 7, July 201269 http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
2own addressing scheme, and they must work together in order to make network communication happen. For this very reason,
ARP was created with RFC 826, “An EthernetAddress Resolution Protocol”
[10].
Figure 1:
The ARP Communication Process.
The nitty gritty of ARP operation is centeredaround two packets, an ARP request and anARP reply. The purpose of the request andreply are to locate the hardware MAC addressassociated with a given IP address so thattraffic can reach its destination on a network.The request packet is sent to every device on
the network segment and says “Hey, my IP
address is XX.XX.XX.XX, and my MACaddress is XX:XX:XX:XX:XX:XX. I need tosend something to whoever has the IP address
XX.XX.XX.XX, but I don’t know what their 
hardware address is. Will whoever has this IPaddress please respond back with their MAC
address?” The respon
se would come in theARP reply packet and effectively provide this
answer, “Hey transmitting device. I am who
you are looking for with the IP address of XX.XX.XX.XX. My MAC address is
XX:XX:XX:XX:XX:XX.” Once this is
completed the transmitting device will updateits ARP cache table and the devices are able tocommunicate with one another [6], [11].
2.2.
 
Poisoning the Cache
ARP cache poisoning takes advantage of theinsecure nature of the ARP protocol. Unlikeprotocols such as DNS that can be configuredto only accept secured dynamic updates,devices using ARP will accept updates at anytime. This means that any device can send anARP reply packet to another host and force thathost to update its ARP cache with the newvalue. Sending an ARP reply when no requesthas been generated is called sending agratuitous ARP. When malicious intent ispresent the result of a few well placedgratuitous ARP packets used in this manner canresult in hosts who think they arecommunicating with one host, but in reality arecommunicating with a listening attacker [12].
Figure 2:
Intercepting Communication with ARP CachePoisoning.
nernaona ourna o ompuer cence an normaon ecury,Vol. 10, No. 7, July 201270 http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
3
3.
 
ARP Cache Poisoning Attack andDetection
ARP cache poisoning attacks allow an attackerto silently eavesdrop or manipulate all yourdata that is sent over the network. This includesdocuments, emails and VoiceIP conversations.ARP spoofing attacks are undetected byfirewalls and operating system security features[9].
3.1. Using Cain & Abel and XArp tools
Let us take the given scenario above and take itfrom theory to reality. There are a few differenttools that will perform the necessary steps topoison the ARP cache of victim machines. Wewill use the popular security tool Cain & AbelfromOxid.it [3]. Cain and Abel does quite a few things beyond ARP cache poisoning and isa very useful tool to have in your arsenal.XArp [4] is a security application that usesadvanced techniques to detect ARP basedattacks. As we said firewalls don't protect youagainst ARP based attack! So, XArp has beendeveloped to target this problem: it usesadvanced techniques to detect ARP attacks andthus helps you to keep your data private. If apotential threat is detected, the program alertsyou via pop-up message on your desktop.Now, let us show you how ARP cachepoisoning attacks conducted using Cain andAbel, how password stealing and phising doneby ARP poisoning and how XArp is used todetect it.You need to use two laptops and connect itwirelessly.
One is the attacker’s computer; theother is the victim’s computer 
. Install Cain &Abel on the attacker computer.Then follow these procedures:
1)
 
Run XArp on the
victim’s
 
computer.
2)
Open
Cain & Abel on the attacker’s
 
computer. At main screen, select Configure,then click your network adapter, thenApply and Ok.
12
nernaona ourna o ompuer cence an normaon ecury,Vol. 10, No. 7, July 201271 http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->