Man In The Middle attack with ARP Poisoning

Before moving on to the actual topic, let’s be familiar with some of the processes that are related to the Man in the middle attacks. It’s important to have a good understanding of how standard communication happens within a network before understanding the actual Man In The Middle Attack with ARP poisoning.

Communication within a Network Via ARP

Address Resolution Protocol

Standard Definition —

“Address Resolution Protocol(ARP) is a procedure for mapping dynamic internet Protocol address(IP address) to a permanent physical machine address in a LAN network.”

It is basically a protocol used to convert 32-bit addresses into 48-bit addresses and vise versa. ARP acts in the middle of the data link layer(which contains MAC addresses) and the network layer(which contains IP addresses). MAC address and IP address both are addresses used to identify a computer within a network. This should be done because MAC addresses are 48-bits long and IPv4 addresses are 32-bits long.

  • IP address: Used to locate a device in the network.
  • MAC address: What identifies the actual device.

Consider a scenario where a packet is coming to a host machine in a LAN network.

  1. Each computer in a LAN has a unique IP address.
  2. If a packet is coming for a particular machine in the network, it will first arrive at the network’s gateway.
  3. Gateway will get the help of the ARP program in order to find the correct MAC address that matches the IP address.
  4. ARP cache will maintain the record of each IP address and its MAC address. This is basically a table.

Now consider a scenario where a machine in the network wants to send a packet.

  1. The host machine needs to determine the destination machine’s MAC address. Therefore it requests the MAC address.
  2. It will first check the ARP cache to see if the correct IP to MAC address translation exists.
  3. If the record is available, a new ARP request is not performed.
  4. If the record is not available, ARP is performed.

How ARP is performed?

ARP will broadcast a request packet to all the machines on that LAN. This is done in order to make sure that if any of the machines know that they are using that requested IP address.

So this protocol basically “ask” what device is currently assigned a given IP address. When the correct IP address is recognized, it will send the packet and update the ARP cache for future usage.

Proxy ARP — Used to transfer packets from one subnet to another.

Man In The Middle Attack (MITM)

Standard Definition —

“Man in The Middle attack is a cyberattack where the attacker secretly relays and possibly alters the communication between two parties who believe that they are directly communicating with each other”

Let’s try to understand this definition with an example.

John wants to start a conversation with Tom. Harry wants to listen to this conversation. But Harry does not wish to be exposed and he wants to do this secretly. Harry Performs the following steps,

  • Harry tells John that he is Tom. Then tell Tom that he is John.
  • This makes John believe that he is actually talking to Tom. And likewise, Tom will believe that he is actually talking to John.
  • Now Harry can get the message from John, alter it or do whatever he wants to do with it and send it to Tom as John’s message.
  • Likewise, Harry can get the reply from Tom, alter it and send it to Harry as Tom’s message.
  • Now Harry has successfully hijacked the conversation between John and Tom.

This is the general overview. There are several ways to perform Man in The Middle attacks.

  1. ARP Poisoning
  2. Rogue Access Point
  3. DNS Spoofing
  4. mDNS Spoofing

ARP Poisoning

Standard Definition —

“Hacker broadcasts false ARP messages over a LAN in order to link an attacker’s MAC address with the IP address of a Legitimate computer(target computer) within the network”

ARP protocol was first introduced in 1982. Developers did not include any ARP message validations because security wasn’t a big concern in 1892.

In the ARP process, Any device can respond to an ARP request. This responded device could be an intended device or not. This provided the opportunity for attackers to poison the ARP Cache by corrupt MAC-to-IP mapping of devices in the network.

MITM Attack with ARP Poisoning

Condition: Attacker must have access to the network in the targetted machine.

Let’s try to understand this with an example.

Assumption: There are 2 devices in the network — Computer “A” and Router “B”

Now the attacker can use a tool to send out forged responses for the ARP requests. Arpspoof, Driftnet are some of the popular tools.

These forged responses advertise the Attacker’s MAC address as the correct MAC address for both IP addresses (Computer “A” and Router).

Then both Computer “A” and Router update their ARP cache Tables and start communicating. However, they communicate via the attacker instead of direct communication. Now the MITM is performed.

Now the attacker can —

  1. Perform Session Hijacking.
  2. Alter Messages.
  3. Denial of Services.
  4. Or even Continue the communications as it is.

How to detect an ARP poisoning attack?

Using the command line

  1. Start the operating system’s shell as an administrator.
  2. Now view the ARP table using the following command.

arp -a

It will display the arp cache table as follows,

If the table has 2 different IP addresses with the same MAC address, that means an ARP attack is taking place.


Wireshark is the most widely-used network analyzer. It can be used to get a microscopic view of the user’s network. Wireshark can be used -

  • Network troubleshooting.
  • Analysis
  • Software and communication protocol development.
  • Education purposes.

This tool is widely used by large networks to analyze their network traffic and keep systems secure.

ARP Poisoning Prevention Methods

  • Static ARP Tables

Statically Map all the MAC addresses in a network to the correct IP addresses. However, this method is not much feasible as this needs to be done manually across all hosts in an event of network change.

  • Switch Security

Also known as Dynamic ARP Inspection. Evaluates the validity of each ARP message and remove packets that are suspicious.

  • Encryption

This method can be used to mitigate the potential damage caused by an ARP attack.

  • Perform a Spoofing Attack

Manually perform a spoofing attack and evaluate the system’s existing security mechanisms. This can be used to get a good idea about how your system will handle an actual ARP poisoning attack.

Associate Software Engineer at Virtusa