SBM Labs

Cyber Security Collaboration Project

ARP Spoofing
16 Jan 2012

We are going to find out how attacker can steal user credentials using ARP spoofing.

This kind of attack consists in poisoning of network equipmenet and computers ARP cache. Hacker can do it by sending fake ARP responses within subnet.

Routing within subnet is implemented by using mac addresses. ARP response contains match between IP and mac addresses of the user computer. Fake ARP response contains IP address of the user computer and mac address of the hacker computer. So it is possible to perform man-in-the-middle attack and get access to user data.

We will use software "Cain & Abel". Let's do poisoning of default gateway ARP cache.

We will analyze HTTP traffic.

We can specify username and password fields on the tab "HTTP Fields".

HTTP protocol does not use encryption. So it is very easy to steal user credentials.

Software “Cain & Abel” can generate self-signed fake certificates in case of using HTTPS connection. Connection between user and hacker computers will be encrypted by fake certificate. And connection between hacker computer and web server will be encrypted by web server certificate.

Power users can understand that certificate is fake and decline it. But most users will trust it.

Valid certificates must by signed by trusted CA.

Captured login and password will be saved to the file if user trust “Cain & Abel” fake certificate.

How to protect your network?

You need to control arp cache. For example, you can use ARP Inspection technology in Cisco equipment. In this case router registers DHCP responses and saves computer's IP and mac addresses. Network administrator can also create static entries. So router can disable port of the attacker if it detects fake ARP responses.