This document discusses ARP spoofing and poisoning techniques that can be used by hackers. It explains that computers have both a MAC address and IP address, and that ARP spoofing involves sending spoofed ARP replies to associate another computer's IP address with the hacker's MAC address, tricking the target into sending packets to the hacker. The document outlines how this works, possible attacks it enables like sniffing, and some defenses like static ARP entries. It also notes differences in how operating systems handle ARP updates.

1. NET_SNIFFER
BY:- SACHIN TRIPATHI (44)
SAHIL VEDPATHAK(46)
ABHISHEK
WALAVALKAR(50)

2. INTRODUCTION
• A COMPUTER CONNECTED TO AN IP/ETHERNET
HAS TWO ADDRESSES:
• ADDRESS OF NETWORK CARD (MAC ADDRESS)
• IP ADDRESS

3. ARP SPOOFING
• CONSTRUCT SPOOFED ARP REPLIES.
• A TARGET COMPUTER COULD BE CONVINCED TO SEND
FRAMES DESTINED FOR COMPUTER A TO INSTEAD GO TO
COMPUTER B.
• COMPUTER A WILL HAVE NO IDEA THAT THIS REDIRECTION
TOOK PLACE.
• THIS PROCESS OF UPDATING A TARGET COMPUTER’S ARP
CACHE IS REFERRED TO AS “ARP POISONING”.

4. A
IP:10.0.0.1
MAC:aa:aa:aa:aa
B
IP:10.0.0.2
MAC:bb:bb:bb:bb
Hacker
IP:10.0.0.3
MAC:cc:cc:cc:cc
switch
IP MAC
10.0.0.2 bb:bb:bb:bb
ARP cache
IP MAC
10.0.0.1 aa:aa:aa:aa
ARP cache
Spoofed ARP reply
IP:10.0.0.2
MAC:cc:cc:cc:cc
SpoofedARPreply
IP:10.0.0.2
MAC:cc:cc:cc:cc
Spoofed ARP reply
IP:10.0.0.2
MAC:cc:cc:cc:cc

5. A
IP:10.0.0.1
MAC:aa:aa:aa:aa
B
IP:10.0.0.2
MAC:bb:bb:bb:bb
Hacker
IP:10.0.0.3
MAC:cc:cc:cc:cc
switch
IP MAC
10.0.0.2 cc:cc:cc:cc
ARP cache
IP MAC
10.0.0.1 aa:aa:aa:aa
ARP cache
A’s cache is poisoned

6. • NOW ALL THE PACKETS THAT A INTENDS TO SEND TO B
WILL GO TO THE HACKER’S MACHINE.
• CACHE ENTRY WOULD EXPIRE, SO IT NEEDS TO BE
UPDATED BY SENDING THE ARP REPLY AGAIN.
• HOW OFTEN?
• DEPENDS ON THE PARTICULAR SYSTEM.
• USUALLY EVERY 40S SHOULD BE SUFFICIENT.
• IN ADDITION THE HACKER MAY NOT WANT HIS ETHERNET
DRIVER TALK TOO MUCH
• ACCOMPLISH WITH IFCONFIG -ARP

7. •POSSIBLE TYPES OF
ATTACKS
1) SNIFFING
2) DOS
3) HIJACKING
4) BROADCASTING
5) CLONING

8. DEFENSES AGAINST ARP
SPOOFING
• NO UNIVERSAL DEFENSE.
• USE STATIC ARP ENTRIES.
• PORT SECURITY
• ARP WATCH
• RARP (REVERSE ARP )

9. REMARKS 1
• DIFFERENT OS MAY HAVE DIFFERENT BEHAVIOR
• SOLARIS ONLY ACCEPTS ARP UPDATES AFTER A TIMEOUT
PERIOD.
• TO POISON THE CACHE OF A SOLARIS BOX, AN ATTACKER
WOULD HAVE TO DOS THE SECOND TARGET MACHINE.
• THIS DOS MAY BE DETECTED BY SOME TOOLS.

10. REMARK 2
• GRATUITOUS ARP
• SOURCE AND TARGET IPS IN THE ARP REQUEST ARE THE
SAME.
• IN FORM OF BROADCAST.
• SOME IMPLEMENTATIONS RECOGNIZE IT AS A SPECIAL CASE,
THAT OF A SYSTEM SENDING OUT UPDATED INFORMATION
ABOUT ITSELF TO EVERYBODY, AND CACHE THAT REQUEST.
• ONE PACKET CAN SCREW UP THE ENTIRE NETWORK.

11. REFERENCES
• SEAN WHALEN, “AN INTRODUCTION TO ARP SPOOFING”,
HTTP://CHOCOBOSPORE.ORG/ARPSPOOF.
• YURI VOLOBUEV, “PLAYING REDIR GAMES WITH ARP AND
ICMP”, IT DOESN’T SEEM TO BE PUBLISHED FORMALLY.
• FOROUZAN, “TCP/IP PROTOCOL SUITE”., CHAPTER 8.
(BACKGROUND OF ARP)