Blog

As you saw in a previous post, DHCP Hacking Made Easy, poorly configured networks can serve as an attack vector for “The Attacker”. In this entry, we continue this exploration with another dead simple attack on the network, ARP spoofing. ARP is the protocol responsible for informing hosts within a given LAN, which IP addresses belong to which MAC addresses. What happens when we provide bad information to hosts on a LAN inside ARP? Bad things as you will see here. The good news is that this type of attack is easily thwarted by a proper configuration on the network!

Attack Topology

Using my own network equipment¹ and my own computers¹, here is the topology used to demonstrate the attacks. It is assumed that “The Attacker” PC is connected to the same LAN segment as “The Victim” PC. The fact that the attacker was able to connect to the same LAN segment as the victim demonstrates a poorly configured or absent NAC policy, but that is a topic for another time.

¹ Do not attempt to perform these attacks on any networks/systems without express written consent from the network/systems administrators.

ARP Attack - Baseline

Before we launch our attack, we will gather some baseline data.

ARP Attack!!!

Here we launch our attack from our “Attacker” PC. It is scary easy to do.

Shots Fired! Now let us see what this did to the state of the network.

ARP Attack – The Poisoned State

Here we will look at the results of the ARP poisoning attack.

Notice how The Router now sends traffic for 10.254.12.13 toward The Attacker’s MAC address. Notice how The Victim now sends traffic for 10.254.12.1 toward The Attacker’s MAC address. The Attacker is now comfortably, and silently, in the middle! The Victim doesn’t know. They are still looking up Dad jokes on the Internet all the while. Observe how the ‘tracert’ from The Victim has a mysterious 1st hop.

Now The Attacker can take their time analyzing all the traffic to and from The Victim as they plan the next phase of their attack. It’s as simple as launching Wireshark.

ARP Attack – Traffic Flows

To aid in hammering home what happened, here we will look at The Victims traffic flows pre- and post-attack. As you can see from below, The Attacker now has their grubby hands on all The Victim’s traffic.

ARP Attack – Prevention

One specific line of defense against these types of attack comes in the form of Dynamic ARP Inspection (DAI). Using DAI requires that DHCP Snooping be configured and functioning. We provided an example for configuring DHCP Snooping in a previous entry, so here we assume it is already in place.

All we need to do is add this little bit of configuration to our layer two switch.

ARP Attack – The Second Attack!!!

Let’s see how our little network fares against this attack now that we have configured Dynamic ARP Inspection (DAI). We will launch the attack the same as last time and observe the effects.

ARP Attack!!! – Take Two!

Here we launch our attack again from our “Attacker” PC.

Shots Fired! Now let us see what this did to the state of the network.

ARP Attack – The Poison Attempt

Here we will look at the results of the ARP poisoning attack now that we have fortified the network with DAI.

Notice how the ARP tables remain unaffected by the poisoning attempt. DAI says NO WAY!!

What’s Next?

You scrambling to login to your access switches and ensuring you have DHCP Snooping and Dynamic ARP Inspection configured, that’s what!!!

As always if you have any questions on improving your IT environment set up for you and your business and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!