ARP spoofing (ARP picture book-7 from VisualLand Animations)

1
ARP spoofing ARP tutorial with pictures
-7www.visualland.net

• Watch animation to learn networking.
• Visualize how ARP translates IP address into
  MAC. Watch interactions between ARP Request, ARP
  Reply, and ARP cache.
• This pictured tutorial takes screenshots from
  ARP spoofing Animation.
• OK to republish this slide. Please use hyperlink
  to point to its source.

2
ARP animations

1. ARP basic - update For behinners.
   Observing basic ip-mac binding interactions (ARP
   Request, ARP reply, ARP cache, ping
   encapsulation, ping command.)
2. ARP basic - no update Same as above. But the
   node receiving ARP Request does not update its
   ARP cache. (It's a vendor decision whether to
   update ARP cache when receiving RAP request).
3. ARP hub Three hosts are
   connected to a hub. Run ping to observe how ARP
   frames and ping packets are being flooded by
   hub.
4. ARP switch Three hosts are
   connected to a switch. Run ping to observe ARP
   frames are being flooded and switched by the
   switch.
5. ARP router gateway (Lab) Visualize how ARP
   discovers a MAC in a different subnet when hosts
   are connected to a router and the router is the
   default gateway.
6. ARP router proxy (Lab) Visualize how ARP
   discovers a MAC in a different subnet when hosts
   are connected to the same router but have no
   default gateway.
7. ARP spoofing (Theory) Visualize how a hacker
   can listen and corrupt IP-MAC bindings in
   other's ARP caches, and kidnap data.
8. ARP spoofing (Lab) Same as above. The
   animation data is captured from a simulation Lab
   (dynamips). Timing is realistic.

2019/9/23
www.visualland.net
2
3
BriefARP spoofing Animation Link
Goal. Visualize how hackers exploit ARP's
weakness to fool hosts and steal data with fake
ARP reply. Topology 3 hosts H1, H2, H3, are
connected by a switch S1. H3 is the
hacker. Steps 1) When H1 sends ARP request to
find H2's MAC, S1 floods the ARP frame. H3 learns
H1's MAC. 2) H2 receives ping and
can't echo H1. It sends ARP request to find H1's
MAC. S1 floods it. Hacker is able
to learn H2's MAC. 3) H3 pretends as
H1 and sends a fake ARP reply to H2. H2 update
ARP cache with the new "H1" MAC.
4) H1 ping H2. H2 sends echo. Switch forwards
echo to H3, not H1.
4
H1 sends ARP request

• H1 wants to ping H2 but does not know its MAC. H1
  sends ARP request.
• When switch S1 receives ARP request, it floods
  the frame to H2, H3 (Attacker).
• Also, S1 adds the new MAC entry (MAC.H1, F0/1)
  to its MAC table.

5
H2, Hacker learn H1s MAC
- H2 receives ARP request, checks its
sender/target's ip/mac, adds H1's MAC to ARP
cache, and sends an ARP reply back tyo H1. -
H3 (Attacker) receives ARP request, reads
protocol's sender ip/mac, and adds H1's MAC to
its ARP cache. H3 is a hacker. It ignores the
target. It interests in finding sender's
address. This is a side effect of broadcasting
and flooding everyone can receive it.
6
H1 ping H2
When receiving ARP Reply, H1 updates ARP cache,
changes (IP.H2, Incomplete) to (IP.H2, MAC.H2)
Then H1 ping H2 again. S1 forwards ping to H2,
no flooding this time.
7
H2 cant echo ARP Request
H2 receives ping but can't send echo back. Echo
fails due to an ARP miss. H2's ARP cache does not
contain H1's MAC. So H2 sends an ARP request.
8
Hacker learns H2 MAC
- S1 receives ARP request and floods it to H1,
H3. - When H1 receives ARP request, it sends ARP
reply back to H2 to tell its MAC. - When H3
receives H2's ARP request, it steals H2's MAC and
stores it in ARP cache. Now H3 has both H1 and
H2's MACs. It is ready to act now.
9
Hacker sends ARP Reply to H2
While H1 is sending ARP reply to H1, hacker (H3)
starts to attack. H3 sends an ARP reply to H2
with fake IDs ARP's sender ip H1's IP,
sender mac H3's MAC. His goal is to fool H2.
It wants H2 to think that H1 has changed its MAC
address and the new MAC is H3's MAC. Click ARP
Reply to see fake ID in protcol header..
10
H2 is fooled by Attacker
H2 receives two ARP Replies. - The first one is
from H1. H2 adds a new entry (IP.H1, MAC.H1) to
its ARP cache. - The second ARP reply is from H3.
H2 changes H1's ARP cache entry from (IP.H1,
MAC.H1) to (IP,H1, MAC.Attacker). Now H2
thinks H1's MAC is MAC.Attacker. it is being
fooled. But H2 does not know.
11
H1 ping H2
Now H1 ping H2 again. It is switched by S1 to H2.
12
H2 echo H1. But received by H3
When H2 receives ping, it responds an echo. H2
encapsulates echo's Link header destination
addresses with (IP.H1, MAC.Attacker). When S1
receives echo, it uses echo's destination MAC
(MAC.Attacker) to lookup MAC table and forwards
echo to F0/3. As a result, H3 (the Attacker) has
receives the echo, not H1. Note This tutorial
show how ARP spoofing works. Hackers can do many
harmful things. E.g., alter data and retransmit
packets to target, store data and use it for
illegal actions.
13
FAQ

• What is ARP Spoofing?
• How does ARP Spoofing work?
• Why ARP Spoofing?
• How to prevent ARP spoofing?
• ( answers in the Comments box )

14
What is Vlabvisualland.net

• VLAB Virtual Lab
• Theory Visualize key points of network protocols
  to help beginners grasp the basic ideas quickly.
• Lab Visualize network activities with packets
  and router states captured from network
  simulators (dynamips, packet tracer, and ns2.
• Interactively control animation packet headers,
  protocol state tables.
• Vlab usage
• Self learning, teaching aids, lab book.