SlideShare a Scribd company logo

Address Resolution Protocol Cache Poisoning

Download as PPTX, PDF
P
pifiye9333

Network sniffing tools like Wireshark can capture network traffic containing usernames, passwords, emails and other data. ARP poisoning allows an attacker to intercept traffic by falsifying ARP entries and acting as a man-in-the-middle using tools like Cain and Abel, enabling the capture and modification of network traffic.

Software
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
JMU GenCyber Boot Camp Summer, 2015
Network Sniffing • Sometimes it is possible observe/record traffic traveling on a network • Network traffic may contain valuable information: – Usernames and passwords •Encrypted •Unencrypted – E-mail, web requests (and replies), data files – Etc. • A sniffer is a piece of software that captures network traffic
Analogy - Wiretapping • The FBI conducts wiretaps – Go to a judge and get a court order authorizing the wiretap •Who? •What? •When? •Why? – With the help of the phone company, can listen to/record a suspect’s phone conversations to obtain evidence
Analogy – Wiretapping (cont) • Sniffer allows an administrator (or attacker) to record/listen in on conversations between computers – May need authorization to monitor network traffic –Electronic Communications Privacy Act –https://www.cdt.org/issue/wiretap-ecpa – May not need authorization to monitor network traffic –“Trap and Trace”/”Pen register” –Consent – May not care - attackers
Sniffing - Environment • Some networks use shared media so passive sniffing is very easy – Network interface cards can be placed in “promiscuous” mode so that they do not ignore traffic to other hosts • Wireless network traffic can also be captured (but may be encrypted) • Sniffing is more difficult (but not impossible) in switched environments
Protocol Analysis • Captured network packets contain binary data which is difficult to interpret • Most sniffers include a protocol analysis component which organizes and displays the (human-readable) contents of the traffic – Example: Wireshark
Example – An Nmap Port Scan • Target host: 192.168.78.141 – Start Wireshark • Source host: 192.168.78.142 – Perform a TCP-connect scan •nmap –sT <target host> • View results
Example – A Web Connection • Target host: 192.168.78.141 – Start Wireshark • Source host: 192.168.78.142 – Open a text-based web browser •Get default web page on the target host • View results
Example – An FTP Connection • Target host: 192.168.78.141 – Start Wireshark • Source host: 192.168.78.142 – Use the ftp client •ftp <target host> • View results
Example – An SFTP Connection • Target host 192.168.78.142 • Source host 192.168.78.141 – Use the sftp client •sftp guest@<target host> • View results
Man-in-the-Middle • In a switched environment a host only receives: – Traffic destine for itself – Broadcast traffic • Cannot see traffic between other hosts • Man-in-the-middle = insert yourself as an (undetected) intermediary between communicating hosts
Man-in-the-middle (cont) • Normal: • Man-in-the-middle: Alice Bob I Alice Bob I
Man-in-the-middle (cont) • How to achieve man-in-the-middle in a switched environment? • Exploit address resolution protocols
Address Resolution • All network communications must be carried out over physical networks – Each machine has a unique physical address • Programs (and humans) use IP addresses to specify the machine to which a message is sent • The address resolution problem – need to map IP address to physical address
The Address Resolution Problem Hosts A and B are on the same physical network B wants to communicate with A but only knows A’s IP address E D C B A
The Address Resolution Protocol (ARP) Host A wants to resolve the IP address IB Host A broadcasts a special (ARP) packet that asks the host with IP address IB to respond with its physical address All hosts receive the request Host B recognizes its IP address Host B sends a reply containing its physical address
ARP • Phase 1: • Phase 2: A X B Y A X B Y
ARP Caches • Each host maintains a cache of recently- used mappings – Information in the cache expires after a set time has elapsed • When sending an ARP request a host includes its IP-to-physical address binding • All machines on a physical network “snoop” ARP packets for mappings
Demo – ARP Cache • Host.141 has not communicated with .143 – .141’s ARP cache probably doesn’t contain an entry for .143 • Host .141 makes a web request to .143 – ARP for .143’s physical address •Added to .141’s cache – Web request sent and reply received
ARP Cache Poisoning • Broadcast ARP replies associating your physical address with a given IP address – Other hosts receive this message and put the mapping into their ARP cache – When a machine wants to communicate with the given IP address it sends the frame to your physical address – You read the frame and then forward it on to the real destination host
Cain and Abel • A man-in-the-middle LAN attack tool – Sniffer – Protocol analyzer • URL: http://www.oxid.it/cain.html • Can be used to poison hosts ARP caches
Demo – ARP Cache Poisoning • Hosts .142 and .143 may or may not have communicated – ARP caches may or may not contain entries for each other • Start Cain (on .141) and poison both .142 and .143’s ARP caches: – .142’s HW address associated with .141’s IP – .143’s HW address associated with .141’s IP
ARP Cache Poisoning - Result • .142 and .143 will communicate with each other – May not realize that their communications are flowing through a third-party • All communications will flow through .141 – .141 can read/store traffic – .141 forwards between the two hosts
Example – An FTP Connection • Switched Environment – Source host: .143 – Destination host: .142 – Attacker: .141 • Using: – Cain and Abel
ARP Poisoning • Can: • Read traffic • Modify traffic
Example – DNS Spoofing • Switched Environment – Source host: .143 – Destination host: Google – Attacker: .141 • Using: – Cain and Abel
Example – SSH Downgrade • Switched Environment – Source host: my laptop – Destination host: .147 – Attacker: .141 • Using: – Cain and Abel
ARP Poisoning • What attackers look for: – Sensitive, unencrypted communications •Web requests/replies, e-mail, FTP – Weakly-encrypted communications •Old versions of SSH, RDC
ARP Poisoning - Countermeasures • Static ARP tables/smart switch • ARPwatch • IDS
Summary • Network traffic may contain valuable information: – Usernames and passwords •Encrypted •Unencrypted – E-mail, web requests (and replies), data files – Etc. • ARP poisoning can allow an attacker to capture and modify network traffic as a man-in-the-middle: – Cain and Abel

More Related Content

PPTX
DHCP,ARP in networks
ssuser15869a
 
PPTX
L9 Protocol Suits
ImranulHasan6
 
PPTX
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
PPTX
lecture5.pptx
Llobarro2
 
PPTX
The Internet and web technologies have revolutionized the way we communicate,...
SIVASANKARANSIVAKUMA
 
PPTX
Packet sniffing
Shyama Bhuvanendran
 
PPT
network-security_for cybersecurity_experts
abacusgtuc
 
PPT
Vulnerabilities in IP Protocols
babak danyal
 
DHCP,ARP in networks
ssuser15869a
 
L9 Protocol Suits
ImranulHasan6
 
lecture5.pptxJHKGJFHDGTFGYIUOIUIPIOIPUOHIYGUYFGIH
Abodahab
 
lecture5.pptx
Llobarro2
 
The Internet and web technologies have revolutionized the way we communicate,...
SIVASANKARANSIVAKUMA
 
Packet sniffing
Shyama Bhuvanendran
 
network-security_for cybersecurity_experts
abacusgtuc
 
Vulnerabilities in IP Protocols
babak danyal
 

Similar to Address Resolution Protocol Cache Poisoning (20)

PDF
vulnerabilities in IP.pdf
MuhammadSufyanAbbasi1
 
PDF
pfSense firewall workshop guide
Sopon Tumchota
 
PDF
TCP_IP for Programmers ------ slides.pdf
Souhailsouhail5
 
PPT
Networking Chapter 9
mlrbrown
 
PPT
Lecture1
ricohombre
 
PPT
Unit05
Nurul Nadirah
 
PPTX
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
PPT
Types of NETWORK RECONNAISSANCE with its Cases.ppt
RohitAhuja58
 
PPTX
IP address and Domain name
University of Technology - Iraq
 
PPTX
Lecture 2-TCP-IP Protocols (view only).pptx
ShaimasafaaldinBahaa1
 
PPTX
Web technology Unit I Part C
SSN College of Engineering, Kalavakkam
 
PPTX
Computer Networks & internet protocols.pptx
jesudossai2
 
PPTX
Sept 2017 internetworking
shahin raj
 
PDF
Ismail TCP IP.pdf
helloraja
 
PDF
Ismail TCP IP.pdf
helloraja
 
PDF
Networking.pdf
DarshaniKarunarathne
 
PPT
P2P Lecture for better understanding of processed
KrutangiVartak
 
PPT
tcpip.ppt
GauravSankhyan4
 
PPT
tcpip.ppt protocol power point presentation
srajece
 
PPT
tcpip.ppt
AbrarAhmed331135
 
vulnerabilities in IP.pdf
MuhammadSufyanAbbasi1
 
pfSense firewall workshop guide
Sopon Tumchota
 
TCP_IP for Programmers ------ slides.pdf
Souhailsouhail5
 
Networking Chapter 9
mlrbrown
 
Lecture1
ricohombre
 
Unit05
Nurul Nadirah
 
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
Types of NETWORK RECONNAISSANCE with its Cases.ppt
RohitAhuja58
 
IP address and Domain name
University of Technology - Iraq
 
Lecture 2-TCP-IP Protocols (view only).pptx
ShaimasafaaldinBahaa1
 
Web technology Unit I Part C
SSN College of Engineering, Kalavakkam
 
Computer Networks & internet protocols.pptx
jesudossai2
 
Sept 2017 internetworking
shahin raj
 
Ismail TCP IP.pdf
helloraja
 
Ismail TCP IP.pdf
helloraja
 
Networking.pdf
DarshaniKarunarathne
 
P2P Lecture for better understanding of processed
KrutangiVartak
 
tcpip.ppt
GauravSankhyan4
 
tcpip.ppt protocol power point presentation
srajece
 
tcpip.ppt
AbrarAhmed331135
 
Ad

Recently uploaded (20)

PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
AI in Product Development-omnex systems
omnex systems
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
System and Network Administraation Chapter 3
jaramharo
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
System and Network Administration Chapter 2
jaramharo
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Ad

Address Resolution Protocol Cache Poisoning

  • 1. JMU GenCyber Boot Camp Summer, 2015
  • 2. Network Sniffing • Sometimes it is possible observe/record traffic traveling on a network • Network traffic may contain valuable information: – Usernames and passwords •Encrypted •Unencrypted – E-mail, web requests (and replies), data files – Etc. • A sniffer is a piece of software that captures network traffic
  • 3. Analogy - Wiretapping • The FBI conducts wiretaps – Go to a judge and get a court order authorizing the wiretap •Who? •What? •When? •Why? – With the help of the phone company, can listen to/record a suspect’s phone conversations to obtain evidence
  • 4. Analogy – Wiretapping (cont) • Sniffer allows an administrator (or attacker) to record/listen in on conversations between computers – May need authorization to monitor network traffic –Electronic Communications Privacy Act –https://www.cdt.org/issue/wiretap-ecpa – May not need authorization to monitor network traffic –“Trap and Trace”/”Pen register” –Consent – May not care - attackers
  • 5. Sniffing - Environment • Some networks use shared media so passive sniffing is very easy – Network interface cards can be placed in “promiscuous” mode so that they do not ignore traffic to other hosts • Wireless network traffic can also be captured (but may be encrypted) • Sniffing is more difficult (but not impossible) in switched environments
  • 6. Protocol Analysis • Captured network packets contain binary data which is difficult to interpret • Most sniffers include a protocol analysis component which organizes and displays the (human-readable) contents of the traffic – Example: Wireshark
  • 7. Example – An Nmap Port Scan • Target host: 192.168.78.141 – Start Wireshark • Source host: 192.168.78.142 – Perform a TCP-connect scan •nmap –sT <target host> • View results
  • 8. Example – A Web Connection • Target host: 192.168.78.141 – Start Wireshark • Source host: 192.168.78.142 – Open a text-based web browser •Get default web page on the target host • View results
  • 9. Example – An FTP Connection • Target host: 192.168.78.141 – Start Wireshark • Source host: 192.168.78.142 – Use the ftp client •ftp <target host> • View results
  • 10. Example – An SFTP Connection • Target host 192.168.78.142 • Source host 192.168.78.141 – Use the sftp client •sftp guest@<target host> • View results
  • 11. Man-in-the-Middle • In a switched environment a host only receives: – Traffic destine for itself – Broadcast traffic • Cannot see traffic between other hosts • Man-in-the-middle = insert yourself as an (undetected) intermediary between communicating hosts
  • 12. Man-in-the-middle (cont) • Normal: • Man-in-the-middle: Alice Bob I Alice Bob I
  • 13. Man-in-the-middle (cont) • How to achieve man-in-the-middle in a switched environment? • Exploit address resolution protocols
  • 14. Address Resolution • All network communications must be carried out over physical networks – Each machine has a unique physical address • Programs (and humans) use IP addresses to specify the machine to which a message is sent • The address resolution problem – need to map IP address to physical address
  • 15. The Address Resolution Problem Hosts A and B are on the same physical network B wants to communicate with A but only knows A’s IP address E D C B A
  • 16. The Address Resolution Protocol (ARP) Host A wants to resolve the IP address IB Host A broadcasts a special (ARP) packet that asks the host with IP address IB to respond with its physical address All hosts receive the request Host B recognizes its IP address Host B sends a reply containing its physical address
  • 17. ARP • Phase 1: • Phase 2: A X B Y A X B Y
  • 18. ARP Caches • Each host maintains a cache of recently- used mappings – Information in the cache expires after a set time has elapsed • When sending an ARP request a host includes its IP-to-physical address binding • All machines on a physical network “snoop” ARP packets for mappings
  • 19. Demo – ARP Cache • Host.141 has not communicated with .143 – .141’s ARP cache probably doesn’t contain an entry for .143 • Host .141 makes a web request to .143 – ARP for .143’s physical address •Added to .141’s cache – Web request sent and reply received
  • 20. ARP Cache Poisoning • Broadcast ARP replies associating your physical address with a given IP address – Other hosts receive this message and put the mapping into their ARP cache – When a machine wants to communicate with the given IP address it sends the frame to your physical address – You read the frame and then forward it on to the real destination host
  • 21. Cain and Abel • A man-in-the-middle LAN attack tool – Sniffer – Protocol analyzer • URL: http://www.oxid.it/cain.html • Can be used to poison hosts ARP caches
  • 22. Demo – ARP Cache Poisoning • Hosts .142 and .143 may or may not have communicated – ARP caches may or may not contain entries for each other • Start Cain (on .141) and poison both .142 and .143’s ARP caches: – .142’s HW address associated with .141’s IP – .143’s HW address associated with .141’s IP
  • 23. ARP Cache Poisoning - Result • .142 and .143 will communicate with each other – May not realize that their communications are flowing through a third-party • All communications will flow through .141 – .141 can read/store traffic – .141 forwards between the two hosts
  • 24. Example – An FTP Connection • Switched Environment – Source host: .143 – Destination host: .142 – Attacker: .141 • Using: – Cain and Abel
  • 25. ARP Poisoning • Can: • Read traffic • Modify traffic
  • 26. Example – DNS Spoofing • Switched Environment – Source host: .143 – Destination host: Google – Attacker: .141 • Using: – Cain and Abel
  • 27. Example – SSH Downgrade • Switched Environment – Source host: my laptop – Destination host: .147 – Attacker: .141 • Using: – Cain and Abel
  • 28. ARP Poisoning • What attackers look for: – Sensitive, unencrypted communications •Web requests/replies, e-mail, FTP – Weakly-encrypted communications •Old versions of SSH, RDC
  • 29. ARP Poisoning - Countermeasures • Static ARP tables/smart switch • ARPwatch • IDS
  • 30. Summary • Network traffic may contain valuable information: – Usernames and passwords •Encrypted •Unencrypted – E-mail, web requests (and replies), data files – Etc. • ARP poisoning can allow an attacker to capture and modify network traffic as a man-in-the-middle: – Cain and Abel