Address Resolution Protocol

The address resolution protocol (ARP) resolves a IPv4 address to the corresponding Media Access Control (MAC) address. The ARP feature performs a required function in IP routing. ARP maintains a cache (table) in which MAC addresses are mapped to IP addresses.

Because the ARP protocol was designed purely for efficiency and not for security, ARP Poisoning attacks are extremely easy to carry out as long as the attacker has control of a machine within the target LAN or is directly connected to it.

Man in the Middle (MitM) Attack

Wireshark MitM

A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a communication between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

The goal of an attack is typically to steal personal information, such as login credentials, account details and credit card numbers.

There are different types of MitM Attacks, including IP Spoofing, DNS Spoofing, HTTPS Spoofing, SSL Hijaking. ARP Poisoning (or ARP Spoofing) is one of the simplest yet most effective forms, allowing an attacker on the same subnet as its victims to eavesdrop on all network traffic between the victims.

Read more on other types here: https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/

telnet

We will demonstrate ARP poisoning attacks against the telnet protocol. Telnet is a method of remotely accessing a server.

https://gitlab.com/wsec/club/wikis/Remote-access#telnet

Telnet is legacy software, it transmits sensitive content in plaintext. We’re using it for demonstrational purposes. Never use telnet in practice.

ARP Poisoning

The aim is to associate the attacker’s MAC address with the IP address of another host, […] causing any traffic meant for that IP address to be sent to the attacker instead.

ARP spoofing is a type of cyber attack in which a malicious actor sends falsified ARP messages over a local area network (LAN). This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.

Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.

  • Denial-of-service attacks: ARP Poisoning can be used to for DoS attacks over a LAN by simply intercepting or dropping and not forwarding the target’s packets.
  • Man-in-the-middle attacks: MITM attacks can rely on ARP spoofing to intercept and modify traffic between victims
  • Session hijacking: Session hijacking attacks can use ARP spoofing to steal session IDs, granting attackers access to private systems and data.

Below is a link to the Cybersecurity Club Wiki covering the actual commands needed to carry out a MitM attack using ARP Poisoning to intercept a telnet session.

https://gitlab.com/wsec/club/wikis/Man-in-the-Middle-(MitM)-Attack-%E2%80%93-ARP-Poisoning