Professional Documents
Culture Documents
UE20CS326
Prof. Prasad H B,
Prof. Preet Kanwal
Unit 2
Lecture 1
Emergency Exit Assembly Point Washroom
Computer
ISFCR Executive
NetworkEducation
Security 4
Outline
☞ Introduction
☞ Ethernet Frame and MAC Header
☞ Tracking based on MAC address and Threat to Privacy
☞ Packet’s Hop-by-Hop Transmission
☞ ARP Protocol
☞ ARP Cache Poisoning Attack
☞ MITM Attacks using ARP Cache Poisoning
Summary :
● Same payload keeps changing the vehicle, if you
consider ethernet frame is a vehicle.
● Eventually hop by hop packet will arrive at the receiver
end.
Default gateway
Hardware address
But dest IP is
142.250.193.142
☞ Before the ICMP echo requests is sent out, ARP request is sent, Only
after getting the ARP reply, ping will be successful.
Computer Network Security 21
ARP Request Packet(ping 10.0.2.15)
Its a Broadcast!!
Use the knowledge of ARP, MAC Layer and try to provide an explanation.
Observe the difference of the following two commands, and explain your
observation :
1. ping 1.2.3.4 (non-existing, not on the local network)
2. ping 10.0.2.97 (non-existing, on the local network)
Case 2: But if you're trying to ping a non-existing host on the same wire, the sender is going to
send out an ARP request to that computer, broadcasting to the network, asking Who has the
MAC address of this IP. Because this computer doesn't exist, nobody's going to reply. Without
the reply, you don't know the MAC address of the recipient. So, you will never send out the
actual echo request. That's why your program, the sniff-and-spoof program works perfectly,
but if you don't see any request, you of course won't spoof a reply.
Computer
ISFCR Executive
NetworkEducation
Security 38
Create a new entry in the Cache : spoof_arp_request.py
Computer
ISFCR Executive
NetworkEducation
Security 41
Create a new entry in the Cache : spoof_arp_reply.py
Computer
ISFCR Executive
NetworkEducation
Security 45
Update cache by sending spoofed ARP Request
Computer
ISFCR Executive
NetworkEducation
Security 48
Update cache by sending spoofed ARP Reply
But this step creates an incomplete entry for 10.0.2.67 in the targets
arp cache.
But for the reply and the gratuitous messages, either the spoofed
reply is a response to a legitimate request, or there must already be
an entry in the cache.
Next, send arp spoofed reply and the attack will be successful.
Client Server
$nc -l 10.0.2.14 9090 $nc -l 9090
A B
IP_A : 10.0.2.15 IP_B : 10.0.2.14
MAC_A : 08:00:27:fd:d5:27 MAC_B : 08:00:27:aa:b1:ad
M
IP_M : 10.0.2.13
MAC_M : 08:00:27:bb:77:45
Note: The entries in the ARP cache may be updated due to some network
activity hence, poison the cache often, for the attack to work.
In the 2020 State of Union address, President Trump said the following:
“In 2019, Russian hackers launched many ARP cache poisoning attacks from Russia
against the computer networks inside the White House, but, I can proudly tell you,
under my leadership, we have successfully defeated all of these attacks.”
Solution: Technically you shouldn’t applaud because ARP cache poisoning attack is
not possible remotely (ARP messages don’t travel beyond the local subnet).
☞ Question
☞ Countermeasures
Follow us