So the common belief is that it is very safe when a network is on a *switched* lan compared to a hub.

Story?

In a hub network, traffic is seen by everybody connected so sniffing would be very easy and with the introduction of switches, you see only traffic that is destined for you. So that provides you security from sniffing and attacks later-on! Well not quite true as long as ARP is the way it is now…

So how does arp work? When a machine wants to talk to somebody – an arp broadcast is done for which only the machine intended would reply with its mac address, so that the communication goes through; very IDEAL scenario.

Now if someone were to send in an incorrect arp response [ pretending to be someone else ], the original machine would still entertain this reply and send the packet to this address. Inherently there is no authentication with ARP protocol, was not required at the time it was designed!

So lets see how it works;

  • Port1 – Host A is connected with mac A
  • Port2 – Host B is connected with mac B
  • Port3 – Host C (attacker) is connected with mac C
  • So Host C (attacker) sends an arp reply to Host A saying that I’m Host B. Similarly it sends another arp reply to Host B saying that I’m Host A
  • So now Host A believes Host B is Host C   { AND }
  • Host B believes Host A is Host C

So a simple software at Host C (attacker) would be able to read all the communication between Host A and Host B!

High end managed switches might not entertain the unasked ARP replies but the hosts would! For example Windows XP before SP2 entertains any gratuitous ARP packets and change their local ARP cache!

CVE Entry for this [ Here ]

A tool can be used to read the data and then forward the traffic to respective clients, facilitating that those hosts wouldn’t even know that there is something going on like this; the fashion as below;

  • Host A sends ‘HI’ to Host B
  • Traffic actually reaches Host C
  • Host C reads the data and then forwards the packet to Host B
  • Host B sends ‘hello’ to Host A
  • Traffic actually reaches Host C
  • Host C reads the data and then forwards the packet to Host A

Seems impossible? Well, there is rather a simple tool arpspoof which can perform this!

So how do you find out if there is something going on similar to this ? You could use arpwatch to perform the task