© elisanth, 123RF.com

© elisanth, 123RF.com

ARP cache poisoning and packet sniffing

Poisoned Pool

Article from ADMIN 06/2011
By
Intruders rely on ARP cache poisoning to conceal their presence on a local network. We'll show you some tools an attacker might use to poison the ARP cache and gather information on your network.

In a switched network environment, packets are sent to their destination port by MAC address. This process requires that the systems on the network maintain a table associating MAC addresses with ports. In a switched environment, packets are only sent to devices for which they are meant, but even then, there are ways to sniff other devices' packets. One such way is to spoof your MAC address and poison the ARP table. Because ARP keeps no state information, the ARP cache can be overwritten (unless an entry is explicitly marked as permanent).

ARP cache poisoning puts the attacker in a position to intercept communications between two computers. Computer A believes it is communicating with Computer B, but because of the poisoned ARP table, the communication actually goes to the attacker's computer. The attacker can then either respond to Computer A (pretending to be Computer B) or simply forward the packets to its intended destination, but only after the packet information is captured and logged for later use by the attacker. Likewise, the response from Computer B can be captured and logged by the attacker, who has also used ARP poisoning to make Computer B think the attacker's computer is Computer A. This type of attack is known as a man-in-the-middle attack.

In this article, I mention a number of tools used in ARP cache poisoning attacks, including ettercap, arpspoof, Nemesis, p0f, dsniff, and Scapy.

Running Ettercap

For ARP cache poisoning to take place, the attacker needs to be in the same network segment as the systems under attack. The first step is to obtain a list of IP addresses and their associated MAC addresses. Several tools will help you obtain this information. One example is the ettercap tool [1]. Ettercap is a suite for man-in-the-middle attacks made on a local LAN. It features sniffing of live connections, content

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=