What Factors Affect The Successful Operation Of An Arpspoofing Attack?

[billyblaxsta]

When someone is using ARPspoof then they are saying to every NIC in range "I am the router. You already know the router IP and this is the MAC address".

The new MAC address will replace the MAC address each victim had in their ARP cache which contained the router's real MAC address.

ARPspoof broadcasts out the packets repeatedly. I am wondering:

a) Does the router also broadcast out its MAC address continually therefore being a "competitor" to the attacker using ARPspoof? I assume not because I cannot see the point once the ARP cache between the client and router has been created.

B) Which aspects therefore would affect the ability of the attacker to successfully use ARPspoof. If for example the attacker was 10 meters away from the victim using a laptop but there was a router only seven meters away from the victim then is it likely that the router's proximity would mean that the broadcast packets would more likely to be discounted? Or is this not how routers work?

Thanks.

[digip]

When a computer looks to find another device on its lan, and doesn't know the address, it asks its gateway, or in this case, the router. The router will send an ARP saying tell pc who has which address, then the pc will know who the other device is, both its IP and MAC address. In an arp spoof, you tell the victim essentially, that you are the gateway, while also telling the PC your mac address. The PC will then load this mac address in its arp table along with the attackers IP address. Every time it then wants to speak the network, it will do through the attacker, since it will think it is the gateway. You then forward all requests and responses to and from the router to the victim, giving you the ability to sniff all the traffic, and is why its called a MITM, or man in the middle attack.

Distance has nothing to do with the arp, so long as you are on the same LAN. Because this requires knowledge of the mac address, and is something that works at layer 2, the attack wouldn't work over the internet without first becoming part of the victims network, either via VPN or compromising one of the local machines in the same network, and spoofing the attack from there. Layer 2 messages do not route through the internet unless the router(s) in use are specifically packet switching networks(such as Frame Relay).

Basically, if you want to arp spoof, you need to be on the same LAN as the victim and is not something you are going to do from say a house in ohio to a house in california, due to the fact that the mac addresses(layer 2) are only known on the local network, and not across the internet(layer 3).

Edited July 27, 2011 by digip

[Infiltrator]

B) Which aspects therefore would affect the ability of the attacker to successfully use ARPspoof. If for example the attacker was 10 meters away from the victim using a laptop but there was a router only seven meters away from the victim then is it likely that the router's proximity would mean that the broadcast packets would more likely to be discounted? Or is this not how routers work?

Thanks.

You have to be connected to the same network as your victim in order for the arp spoofing attack to work. Again, as long as you are connected to the same network, you could be sitting several miles away from him/her and still be able to arpspoof along with everyone else in the vicinity.

Now depending on the network set up, some network switches may have been programmed to block arp poisoning, rendering arp spoofing useless.

Edited July 27, 2011 by Infiltrator

[Terror Factor]

Wow guys, way to go on not responding the TS's question. Did you even read it? :/

@TS: The router only responds if it is asked, so it won't compete with the spoofing machine. Also, an ARP-reply is normally a unicast(=to one host only) (I'm not sure if the reply is sent as multiple unicasts or a broadcast if you are poisoning a subnet. Can someone fill me in?), so only if that one specific machine is doing an arp-request, the router will answer to that machine.

I think this also answers your second question. Distance does not matter and the router won't be competing :)

[digip]

Wow guys, way to go on not responding the TS's question. Did you even read it? :/

@TS: The router only responds if it is asked, so it won't compete with the spoofing machine. Also, an ARP-reply is normally a unicast(=to one host only) (I'm not sure if the reply is sent as multiple unicasts or a broadcast if you are poisoning a subnet. Can someone fill me in?), so only if that one specific machine is doing an arp-request, the router will answer to that machine.

I think this also answers your second question. Distance does not matter and the router won't be competing :)

The pc or workstation sending the arp will be a broadcast. The routers reply, or arp reply, will be a unicast though. In the case of an arpspoof though, I believe the spoofing machine will send broadcast arps continually so to poison everyone else's arp table.

Edited July 28, 2011 by digip

[Terror Factor]

The pc or workstation sending the arp will be a broadcast. The routers reply, or arp reply, will be a unicast though. In the case of an arpspoof though, I believe the spoofing machine will send broadcast arps continually so to poison everyone else's arp table.

Would be the most logical approach, but if that's the case, wouldn't it be relatively easy to ignore all arp reply that are broadcasts, since they aren't used(?) normally?

It's of course easily circumvented, but it would be better than nothing and would make mass arpspoofing a bit more difficult/slower.

[digip]

wouldn't it be relatively easy to ignore all arp reply that are broadcasts

Well, that is if the arpspoof is sending broadcasts. I've not used arpspoof specifically, so not sure how its sending the replies and poisoning the workstations, either by broadcast or unicast.

It could be in part sending unicast, but to every address its aware of. Cain for example, requires an arp scan of the subnet first, then makes a list of know machines and gateway to poison. Then you have to specify which ones you want to poison.

The normal arp is as follows though, a PC requests an address it wants to send to(IP), sends a broadcast looking for this via arp, router checks its table, sends unicast back saying "who has" such an address, then PC adds to its arp table. On most systems ARP is retransmitted every 15 minutes or so but can actually have the metric changed. I imagine arpspoof will update more often than this, keeping a steady flow of poisioned entries going out to all workstations it's aware of.

edit: actually just looked in wireshark, it sends a broadcast,

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

and then the broadcast goes to all machines on the network forwarded by the router, then the device in question, if exists, is what responds to the ARP, but as an arp replay directly to the requester, and not as a broadcast. So the end device seems to reply, not the actual router.

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

The reply is a unicast packet though. How/what arpspoof sends as a replay, is something you would have to test yourself.

Edited July 28, 2011 by digip

[Infiltrator]

If I had the time, I would just run some testing on my network using wireshark and confirm how arp poisoning really works.

[billyblaxsta]

Thanks guys - I understand a bit more now.

I see the point about how distance is not relevant since - as long as you are on the LAN - you are broadcasting the message that you are the router to all clients.

Let's take a "hypothetical".

Alex is the ARPspoofer and is in a cafe where he can see Bob and Carly surfing the Net. He has already Arpspoofed and is using SSL Strip. He can see both logging in to various webmails and suchlike but for some reason he only is getting the SSL login details for Bob.

He knows there is only one router IP in that building so it cannot be that Carly is on a different subnet.

What could be happening? The only thing that I can think of is that this is not an ARPspoofing issue but a SSL Strip issue and for some reason SSL Strip does not properly work (perhaps because too much traffic is going through Alex's machine considering he is broadcasting the ARPspoof).

Might there be other causes why Carly's logins are not recorded?

[digip]

If they are on a switched network, vlans, spanning tree protocols across segments of the network, bridges in use, etc, any number of factors could be at play(switches generally create havock with MITM attacks, and on corporate network, would probably throw off all sorts of alarms, as where on home consumer routers over wireless, not much of an issue at all), as well as some sites security not allowing any http access, and as soon as you try to strip ssl, it fails to do anything with the network in question. Nothing captured, because nothing is able to get to a login and might continually redirect the user to https. Cloning sites and serving them to the victim usually thwarts ssl in this case. If a user sees the login prompt for their site, its possible they might not even notice they are even on a phishing page.