ARP Spoofing Man-in-the-middle Attack


A man-in-the-middle attack is an interior network attack, where an attacker places a computer or networking device between hosts, so that their data exchanges are unknowingly redirected to the man-in-the-middle. The goal is to capture and relay traffic, so the victim is unaware that all traffic to and from his computer is being compromised.

One way to accomplish a Man-in-the-middle attack is to use ARP spoofing. With ARP spoofing the attacker targets the layer two MAC address protocol. On a local area network, a host communicates with another host, including the gateway, by delivering packets to a MAC address. In order to do this, first the ARP protocol needs to resolve the MAC address from the IP address of a host. There is no verification or authentication procedure for the ARP protocol. When a computer needs to send information to another host on the network the computer generates an ARP broadcast. The ARP broadcast sent to every computer on the network requesting that a specific IP address respond with the corresponding MAC address. When a computer responds with a MAC address, data can be delivered to that MAC address, the problem is that the response is accepted without verification. ARP spoofing involves sending fraudulent information to the targeted hosts so they incorrectly map the attacker’s MAC address as belonging to the IP address.


Practice Lab

In the following lab, I set up a test virtual environment to execute an ARP spoofing attack. This is what you will need to do the lab:

Virtualization software: I recommend either VMware (free player) or Virtualbox. You will want to set your virtual network interface cards to bridged mode so that they receive unique IP addresses on the network and can communicate with each other as well as the host computer. If you have networked computers that you do not mind experimenting with, you can skip the virtualization part and use actual physical hosts.

Virtual host 1 (victim): In the video demonstration, I use an Ubuntu client as the victim. I chose this because I happened to already have it set up. You could easily use another operating system like Windows XP, etc. The most important point is that the hosts need to be connected to the same network.

Virtual Host 2 (attacker, man-in-the-middle): For the attacker, I downloaded the pre-installed VMware virtual machine for Backtrack 5-R1 32bit. Download the VM, unzip it, and then open it with the VMware player. If you have never used Backtrack before the default username is: root and the default password is: toor. Once you have logged in, you can start the graphical user desktop by entering the startx command; your networking connection should start automatically, but if it does not, I have initial configuration information here: Install & Configure BackTrack. For this lab, you can just as easily use a different distribution of Linux like Ubuntu, Mint or Fedora.

Router/Gateway: In my demonstration, the clients are on the same network connected by a wireless router/gateway providing connectivity to the internet.

Packet Sniffer: In the demonstration, host scanning, packet sniffing, and ARP spoofing is done with the program Ettercap or Ettercap GTK, installed on the attacking computer. Here are the commands for installing and running Ettercap in graphical mode:

     apt-get update
apt-get install ettercap ettercap-gtk
ettercap -G

Video Tutorial

In this video, I use ARP spoofing to impersonate hosts, and sniff traffic undetected on the network

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published.