7.4 ARP Poisoning
What Is Address Resolution Protocol (ARP)?
- Address Resolution Protocol (ARP) is a stateless protocol used for resolving IP addresses to machine (MAC) addresses.
- All network devices (that needs to communicate on the network) broadcasts ARP queries in the network to find out other machines' MAC addresses.
- When one machine needs to communicate with another, it looks up its ARP table. If the MAC address is not found in the table, the ARP_REQUEST is broadcasted over the network.
- All machines on the network will compare this IP address to their MAC address.
- If one of the machine in the network identifies with this address, it will respond to ARP_REQUEST with its IP and MAC address. The requesting machine will store the address pair in the ARP table and communication will take place.
ARP Spoofing Attack
- ARP packets can be forged to send data to the attacker's machine.
- ARP Spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch.
- Switch is set in "forwarding mode" after ARP table is flooded with spoofed ARP replies and attackers can sniff all the network packets.
- Attackers flood a target computer's ARP cache with forged entries, which is also known as poisoning.
How Does ARP Spoofing Work
Threats of ARP Poisoning
- Using fake ARP messages, an attacker can divert all communications between two machines so that all traffic is exchanged via his/her PC.
- The threats of ARP poisoning include:
- Packet Sniffing
- Session Hijacking
- VoIP Call Tapping
- Manipulating Data
- Man-in-the-Middle Attack
- Data Interception
- Connection Hijacking
- Connection Resetting
- Stealing Passwords
- Denial-of-Service (DoS) Attack
ARP Poisoning Tools: Cain & Abel and WinArpAttacker
- Cain & Abel: Cain & Abel allows sniffing packets of various protocols on switched LANs by hijacking IP traffic of multiple hosts concurrently.
- WinArpAttacker: WinArpAttackdr sends IP conflict packets to target computers as fast as possible and diverts all communications.
zxarps
ARP Poisoning Tool: Ufasoft Snif
- Ufasoft Snif is an automated ARP poisoning tool that sniffs passwords and email messages on the network and works on Wi-Fi network as well.
How to Defend Against ARP Poisoning
- Implement Dynamic ARP Inspection Using DHCP Snooping Binding Table.
Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches
ARP Spoofing Detection: XArp
- XArp helps users to detect ARP attacks and keep their data private.
- It allows administrators to monitor whole subnets for ARP attacks.
- Different security levels and fine tuning possibilities allow normal and power users to efficiently use XArp to detect ARP attacks.
Q1) Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this?
- Jayden can use the commanD. ip binding set.
- Jayden can use the commanD. no ip spoofing.
- She should use the commanD. no dhcp spoofing.
- She can use the commanD. ip dhcp snooping binding.
Q2) Bill is a security analyst for his company. All the switches used in the company's office are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this?
- Bill can use the command: ip dhcp snooping.
- Bill can use the command: no ip snoop.
- Bill could use the command: ip arp no flood.
- He could use the command: ip arp no snoop.
Q3) Which of the following prevents ARP poisoning?
- ARP Ghost
- IP DHCP Snooping
- IP Snoop
- DNSverf
A3) IP DHCP Snooping can be used on Cisco devices to prevent ARP poisoning by validating IP-to-MAC mappings based on a saved database.
Q4) How do you defend against ARP Spoofing? Select three.
- Use ARPWALL system and block ARP spoofing attacks
- Tune IDS Sensors to look for large amount of ARP traffic on local subnets
- Use private VLANS
- Place static ARP entries on servers,workstation and routers
A4) IDS option may works fine in case of monitoring the traffic from outside the network but not from internal hosts.
Q5) Which type of sniffing technique is generally referred as MiTM attack?
- Password Sniffing
- ARP Poisoning
- Mac Flooding
- DHCP Sniffing
A5) ARP poisoning is the closest value to the right answer because ARP spoofing,also known as ARP flooding,ARP poisoning or ARP poison routing (APR),is a technique used to attack alocal-area network(LAN). ARP spoofing may allow an attacker to interceptdata frameson a LAN,modify the traffic,or stop the traffic altogether. The attack can only be used on networks that make use of theAddress Resolution Protocol(ARP) and not another method of address resolution.
Q6) A tester is attempting to capture and analyze the traffic on a given network and realizes that the network has several switches. What could be used to successfully sniff the traffic on this switched network? (Choose three.)
- ARP spoofing
- MAC duplication
- MAC flooding
- SYN flood
- Reverse smurf attack
- ARP broadcasting
A6) MAC duplication: 模擬成別人的mac
Q7) Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position. Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around, but the program he is using does not seem to be capturing anything. He pours through the Sniffer's manual, but cannot find anything that directly relates to his problem. Harold decides to ask the network administrator if he has any thoughts on the problem. Harold is told that the Sniffer was not working because the agency's network is a switched network, which cannot be sniffed by some programs without some tweaking. What technique could Harold use to sniff his agency's switched network?
- ARP spoof the default gateway
- Conduct MiTM against the switch
- Launch smurf attack against the switch
- Flood the switch with ICMP packets
Q8) A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.
- Use port security on his switches.
- Use a tool like ARPwatch to monitor for strange ARP activity.
- Use a firewall between all LAN segments.
- If you have a small network,use static ARP entries.
- Use only static IP addresses on all PC's.
A8) By using port security on his switches,the switches will only allow the first MAC address that is connected to the switch to use that port,thus preventing ARP spoofing.ARPWatch is a tool that monitors for strange ARP activity. This may help identify ARP spoofing when it happens. Using firewalls between all LAN segments is possible and may help,but is usually pretty unrealistic.On a very small network,static ARP entries are a possibility. However,on a large network,this is not an realistic option. ARP spoofing doesn't have anything to do with static or dynamic IP addresses. Thus,this option won't help you.
Q9) Samantha was hired to perform an internal security test of XYZ. She quickly realized that all networks are making use of switches instead of traditional hubs. This greatly limits her ability to gather information through network sniffing.
Which of the following techniques can she use to gather information from the switched network or to disable some of the traffic isolation features of the switch? (Choose two)
- Ethernet Zapping
- MAC Flooding
- Sniffing in promiscuous mode
- ARP Spoofing
A9) In a typical MAC flooding attack,a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table. The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).
Q10) Which of the following is not considered to be a part of active sniffing?
- MAC Flooding
- ARP Spoofing
- SMAC Fueling
- MAC Duplicating
Q11) What is a countermeasure to passive sniffing?
- Implementing a switched network
- Implementing a shared network
- ARP spoofing
- Port-based security
A11) By implementing a switched network, passive sniffing attacks are prevented.
Q12) Which of the following is a countermeasure to ARP spoofing?
- Port-based security
- WinTCPkill
- Ethereal
- MAC-based security
A12) Port-based security implemented on a switch prevents ARP spoofing.
Q13) Jason is a junior system administrator for a small firm of 50 employees. For the last week a few users have been complaining of losing connectivity intermittently with no suspect behavior on their part such as large downloads or intensive processes. Jason runs Wireshark on Monday morning to investigate. He sees a large amount of ARP broadcasts being sent at a fairly constant rate. What is Jason most likely seeing?
- ARP poisoning
- ARP caching
- ARP spoofing
- DNS spoofing
A13) An excessive number of ARP broadcasts would indicate an ARP poisoning attack. The users reporting loss of connectivity may indicate an attempted session hijacking with a possible DoS attack.
Q14) In which part of OSI layer, ARP Poisoning occurs?
- Transport Layer
- Datalink Layer
- Physical Layer
- Application layer
Q15) How do you defend against ARP Poisoning attack? (Select 2 answers)
- Enable DHCP Snooping Binding Table
- Restrict ARP Duplicates
- Enable Dynamic ARP Inspection
- Enable MAC snooping Table
Q16) ARP poisoning is achieved in _ steps
- 1
- 2
- 3
- 4
A16) The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with your IP Address. Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with the routers IP Address. Now your machine thinks the hacker's computer is your router. The hacker has now used ARP poisoning to accomplish a MitM attack.
Q17) Which of the following are appropriate active sniffing techniques against a switched network? (Choose all that apply.)
- ARP poisoning
- MAC flooding
- SYN flooding
- Birthday attack
- Firewalking
A17) ARP poisoning can be used to trick a system into sending packets to your machine instead of recipients (including the default gateway). MAC flooding is an older attack used to fill a CAM table and make a switch behave like a hub.
Q18) Machine A (with MAC address 00-01-02-AA-BB-CC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01-02-CC-DD-EE, is on a different subnet. While sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary?
- The ARP cache of the router would need to be poisoned, changing the entry for Machine A to 00-01-02-CC-DD-EE.
- The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.
- The ARP cache of Machine C would need to be poisoned, changing the entry for the default gateway to 00-01-02-AA-BB-CC.
- The ARP cache of Machine A would need to be poisoned, changing the entry for Machine C to 00-01-02-BB-CC-DD.
A18) ARP poisoning is done on the machine creating the frame-the sender. Changing the default gateway entry on the sending machine results in all frames intended for an IP out of the subnet being delivered to the attacker. Changing the ARP cache on the other machine or the router is pointless.
Q19) What technique funnels all traffic back to a single client, allowing sniffing from all connected hosts?
- ARP redirection
- ARP poisoning
- ARP flooding
- ARP partitioning
A19) ARP poisoning alters ARP table mappings to align all traffic to the attacker’s interface before traveling to the proper destination. This allows the attacker to capture all traffic on the network and provides a jumping-off point for future attacks.
Q20) What common tool can be used for launching an ARP-poisoning attack?
- Cain and Abel
- Nmap
- Scooter
- TCPdump
A20) Cain and Abel is a well-known suite of tools used for various pen testing functions such as sniffing, password cracking, and ARP poisoning.
Q21) Cain & Abel can perform which of the following functions? (Choose all that apply.)
- Sniffing
- Packet generation
- Password cracking
- ARP poisoning
A21) Cain & Abel can perform sniffing, password cracking, and ARP poisoning.