i Penetration Test – Cain & Abel – ARP Poisoning ( Part 1 ) – All things in moderation

Penetration Test – Cain & Abel – ARP Poisoning ( Part 1 )

In the previous post, I think you guys have understood what we could do when we are in the victim network. Now, I will show you another way to do that base on arp poisoning knowledge.

Firstly of all, we need to know what ARP Poisoning is.

The Address Resolution Protocol is a widely used communications protocol for resolving Internet layer addresses into link layer addresses.

When an Internet Protocol (IP) datagram is sent from one host to another in a local area network, the destination IP address must be resolved to a MAC address for transmission via the data link layer. When another host’s IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply, which contains the MAC address for that IP.

ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether network hosts requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. This behavior is the vulnerability which allows ARP spoofing to occur.

pentest cain and abel

I think the above information from Wikipedia is enough for you to understand it. Now, we are going to discuss some attack vectors base on ARP Poisoning.

1. Man in the middle

Take this scenario as our example, we have 3 hosts in our network: Computer A, Computer B, Computer C. And the attacker want to become “the man in the middle” of computer A and C. :D. So he sends a ARP Request to host A with host B’s IP and his MAC address, plus a ARP Request to host B with host A’s IP and his MAC address. Additionally, he need to turn on IP Forwarding in his computer. From now, the information between computer A and B has been captured by the attacker.

2. Denial of Service

This time, the attacker want all of your computers can’t connect to the Internet. There are many reasons for this. :D. He just need to send a Arp Reply to all of the computers with Gateway’s IP address and a non-existent MAC. When these computers send packets to Gateway, it comes to the middle of nowhere, so we lose connection to the Internet.

3. MAC Flooding

This type of attack is also known as CAM table overflow attack. Within a very short time, the switch’s MAC Address table is full with fake MAC address/port mappings. Switch’s MAC address table has only a limited amount of memory. The switch can not save any more MAC address in its MAC Address table.

Once the switch’s MAC address table is full and it can not save any more MAC address, its enters into a fail-open mode and start behaving like a network Hub. Frames are flooded to all ports, similar to broadcast type of communicaton.

Now, what is the benefit of the attacker? The attacker’s machine will be delivered with all the frames between the victim and another machines. The attacker will be able to capture sensitive data from network.

Now, we will use Cain & Abel to demontrate this attack.

You could download this tool from here. I will show you a quick look about this.

  • After you downloaded it, you just run and click to a Sniffer Button on the top-left. Next, you click to Blue Plus button, the small window will show up. You tick to “All hosts in my subnets” and “All Tests” options. Click OK.

pentest cain and abel

It will give you all the computers in your LAN.

  • Secondly, you choose ARP tab, click Blue Plus button, another window will show up. You choose the victim IP address on the left, and choose all of on the right. If you want to capture all the traffic on the network, you need to choose the Gateway IP address on the left.

pentest cain and abel

After a few minutes, you will see something like this.

pentest cain and abel

That means all the traffic from 192.168.0.133 has been captured by you.

  • Then when the victim go to a website and login.

pentest cain and abel

You can capture their credential information.

pentest cain and abel

Besides, you can also see some certs here.

pentest cain and abel

I hope we could have a basic information about ARP Poisioning and a quick look about Cain & Abel. You should give it a try in your network. After that, we are going to discuss some other attack vectors base on ARP Poisoning in the next post. 🙂

Leave a Reply