Understanding ARP & ARP Poisoning
Results 1 to 8 of 8

Thread: Understanding ARP & ARP Poisoning

  1. #1

    Understanding ARP & ARP Poisoning

    So I have a lot of free time at work right tnow, and a MCSE study guide on TCP/IP networking I got for Christmas, and I'm trying to finally sit down and study this and learn the deeper aspects about TCP/IP. I can brush the surface of it with my knowledge, and it's due time for me to dive into it.

    So right now I'm studying how ARP works in regard to resolving MAC addresses, and I'm a little confused. The book explains that a router checks a packet's ARP cache to see if it already knows the MAC address of the machine it's looking for. If it's not listed in the cache, it broadcasts to the entire local network asking if any of the machines on that LAN have the IP address that the packet is intended for.

    So here's my question: How could a packet sent from a WAN know the IP address of the destination machine behind the LAN? There's usually only one WAN IP address for the entire network at the router, so that would only leave the LAN IP addresses for each specific machine. So how in the world would a remote client outside the LAN know that IP in order for it be requested from the packet?

    Or am I just misunderstanding what I'm reading here?

    Ok, that's the first question. Second: I believe I've heard the term "ARP poisoning" thrown around before, but I wasn't familiar with ARP yet so I didn't understand what was going on. What exactly is that concept?

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    You are confused because you have entered NAT (Network Adress Translation) into your equation. First of all ARP is not a routed protocol, it is used only internally and does not usually traverse networks (This is not strictly true, it can traverse via a network bridge but as it is a broadcast protocol is does not typically go anywhere any other broadcast wouldnt) Routers are not the only network device that uses ARP, any PC will also have an ARP cache for locating machines. When you say "There's usually only one WAN IP address for the entire network at the router" this is only true if you are using NAT. There are plenty of networks who have many public IPs and could concievably have a true internet address for every machine on their network although this is not typically the case. When you are using NAT, the NAT device keeps an internal table of all connections from the internal addresses and then rewites the packet with its own external IP and away it goes. It tracks each connection through the internal source IP and the port associated for that session when the packet comes back it checks the sequence and port and sends is to where its really going. This is one reason why a NAT device makes a pretty decent firewall almost as a side effect, because anyone sending a packet from the WAN to the NAT device where no connection has been initated from the inside, has nowhere to go - theres no entry in the port map table so how do you know what client to send the packet to? You dont, it gets dropped. Hence NAT devices usually work great as long as the connection is initiated from inside the network and the proper information is added to the routers port mapping table. Question Two: ARP posioning takes advantage of the fact that early network engineers were trusting types and didnt realize the heinous things people would to to their protocols. Typically a machine well send out an ARP request and when the appropriate machine answers it adds that machines IP to its ARP cache. So what happens if I send an ARP response to a machine, even though it didnt ask me? It acts like a good boy, and adds the entry to its table. So ARP posioning is when you you lie to the poor device(s) by answering an ARP request that wasnt made, telling the device you have such-and-such address. It will now send packets destined to that IP to your MAC. After you inspect the traffic you procede to send the traffic to where its SUPPOSED to go and no one is the wiser that you are between the two devices. Hence man-in-the middle attack,


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    107
    Okay, I am not entirely sure about it (meaning, corrections and criticisms are always appreciated), but I'll give it a try anyway...

    Imagine the following scenario. You have a LAN with 3 computers connected to it. Computer 1 wants to send a packet to Computer 2 (for example, you say ping 192.168.0.3 (computer 2) from computer 1 (192.168.0.2)). How does this happen? Well, you first send an ICMP request to the router (that's your next hop), then the router sends an ARP request message asking "Who is 192.168.0.3? Tell 192.168.0.2".

    Then Computer 2 sends _you_ a reply "192.168.0.2 is at hh:hh:hh:hh:hh:hh" (MAC address) because a) he is on your network and b) because your MAC address was included in the original message.

    As far as ARP Caching goes, basically, you would take that information and store it in an internal table for a specific amount of time. Obviously, you don't want the arp cache to live forever because IP addresses change in some environments, interfaces go down all the time,etc...
    ARP poisoning I don't know about unfortunately, and leave up to a more experienced hacker.

    Also for reference, you can read this http://www.erg.abdn.ac.uk/users/gorr...pages/arp.html

    and of course use our friendly search service (google.com).

    Lemme know if you got Q's
    -ik
    Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
    -- Homer S.

  4. #4
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    ARP poisoning: In a nutshell it turns a machine on the network into the Gateway more or less. That way, all the traffic goes through the machine running an ARP Poisoner, allowing them to packet capture, and packet sniff for the entire subnet, depending on the Network Topology.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If I'm correct you are misunderstanding this stuff.....

    Firstly, it seems like you need to look at NAT. From what you say you seem to be confused about the initiating packet from the WAN actually reaching the internal machine. That's the job of your NATed router to know where the original request came from and route the appropriate packets to the appropriate internal machine.

    If you do nothing to a NAT router it will drop all unsolicited packets. If you tell the router that packets sent to it's WAN address on port X are to be sent to the LAN address xxx.xxx.xxx.xxx then it will do as it is told.... It's that simple....

    As to ARP. ARP is _entirely_ local.... TCP/IP, UDP etc. are remote, (they are routing protocols).

    The "secret" is the subnet mask..... Yeah, that nasty complicated thingy they make you study.... They never really tell you what it's for.... I'll let the cat out of the bag..... If I may...

    The subnet mask really is only used for one thing... Determining whether the IP address of the machine to be contacted is "local". It may be through routers still but it could still be considered local depending upon the router's configuration and the subnet mask. If the destination IP address doesn't fit in the subnet mask then the returned packet is sent to the default gateway, if it fits the subnet mask and the _local_ ARP table doesn't hold the required information, (the MAC address), then an ARP request is sent out to get the MAC address of the machine.

    Thus, it is either impossible or _really really_ difficult, (depends on the security level of the network as a whole), to ARP poison a remote network, (you have to have a network that is relatively "local" and wide open to broadcasts of ARP to be able to accomplish it)

    I dunno if that makes any sense..... If I'm not clear or was wishy-washy on something there go ahead and ask more.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Wow, lots of info, and exactly what I wanted! I think I'm getting the jist of it, but I suspect a reread of both that chapter and this thread are in order. I indeed was under the impression that ARP was travelling over the WAN into the LAN, so that alone answers one question. I'm sure as I keep going over this I'll no doubt have more questions, so I'll be back!

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Just clarification:

    Originally posted by Dr Toker
    ARP poisoning: In a nutshell it turns a machine on the network into the Gateway more or less. That way, all the traffic goes through the machine running an ARP Poisoner, allowing them to packet capture, and packet sniff for the entire subnet, depending on the Network Topology.
    Not necessarily. ARP poisoning itself is simply the act of getting wrong information into a given network device's ARP cache. This could come in the form of answering arp queries faster than the real host with you own credentials, and could be used for MITM attacks as suggested, but can easily be used in other ways. For example, you could shut down an entire LAN by replying to EVERY ARP request with your own bogus information, or just take out one host by doing the same.

    Originally posted here by Tiger Shark
    As to ARP. ARP is _entirely_ local.... TCP/IP, UDP etc. are remote, (they are routing protocols).
    TCP/IP, UDP/IP and so forth, are routed or routable protocols. IGMP and RIP are examples of routing protocols. A subtle yet very important distinction.
    As for where ARP is used, it is indeed entirely local, though locality may vary based on the network you're talking about. A good general rule of thumb is that ARP is done inside each broadcast domain. Broadcast domains are broken up by routers, so basically if you get to a router, ARP will not go beyond it. This makes sense when you understand that ARP's role is to bridge Ethernet's MAC layer (Layer 2 on the OSI Model) and the IP layer (Layer 3 on the OSI Model).

    The "secret" is the subnet mask..... Yeah, that nasty complicated thingy they make you study.... They never really tell you what it's for.... I'll let the cat out of the bag..... If I may...

    The subnet mask really is only used for one thing... Determining whether the IP address of the machine to be contacted is "local". It may be through routers still but it could still be considered local depending upon the router's configuration and the subnet mask. If the destination IP address doesn't fit in the subnet mask then the returned packet is sent to the default gateway, if it fits the subnet mask and the _local_ ARP table doesn't hold the required information, (the MAC address), then an ARP request is sent out to get the MAC address of the machine.
    That's an overly narrow view of what a subnet mask is used for. The subnet mask is a mask applied to the IP address to determine its network and host portions. It's used for more than simply determining if outgoing traffic is destined for a local LAN, though that is certainly one of its uses. Another use, more often seen on large distributed networks, is for segregating higher class networks into multiple networks. Examples of where this might be used are basically any business chain.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Banned
    Join Date
    Aug 2004
    Posts
    534
    this will help

    watch and learn

    http://www.oxid.it/downloads/apr-intro.swf

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •