Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

ARP, MAC, Poisoning, and WiFi Security

In this article we cover the basics on Address Resolution Protocol (ARP), Media Access Control Addresses (MAC), Wireless (WiFi), and layer 2 communications. I explain how a 'Man in the Middle Attack' works. The common name for this is ARP poisoning, MAC poisoning, or Spoofing.

Before we can get into how the poisoning works we need to learn about how the OSI model works and what happens at layer 2 of the OSI Model. To keep this basic we will only scratch the surface on the OSI model to get the idea of how protocols work and communicate with each other.

The OSI Model

The OSI (open Systems interconnection) model was developed by the International Standards Organization (ISO) in 1984 in an attempt to provide some standard to the way networking should work. It is a theoretical layered model in which the notion of networking is divided into several layers, each of which defines specific functions and/or features.

However this model is only general guidelines for developing usable network interfaces and protocols. Sometimes it may become very difficult to distinguish between each layer as some vendors do not adhere to the model completely. Despite all this the OSI model has earned the honor of being "the model" upon which all good network protocols are based.

The OSI Model is based upon 7 layers (Application layer, Presentation Layer, Session Layer, Transport Layer, Network Layer, Data Link Layer and the Physical layer). For our proposes we will review layer 2 (data link layer), Data Link layer defines the format of data on the network.

A network data frame, aka packet, includes checksum, source and destination address, and data. The data link layer handles the physical and logical connections to the packet's destination, using a network interface.

A host connected to an Ethernet network would have an Ethernet interface (NIC) to handle connections to the outside world, and a loop back interface to send packets to itself.

Ethernet addressing

Ethernet addressing uses a unique, 48-bit address called its Ethernet address or Media Access Control (MAC) address. MAC addresses are usually represented as six colon-separated pairs of hex digits, e.g., 8A:0B:20:11:AC:85. This number is unique and is associated with a particular Ethernet device.

The data link layer's protocol-specific header specifies the MAC address of the packet's source and destination. When a packet is sent to all hosts (broadcast), a special MAC address (ff:ff:ff:ff:ff:ff) is used. Now with this concept covered we need to explain what APR is and how is corresponds to the MAC address.

The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3 (protocol) and a layer 2 (hardware) address. ARP is used to dynamically build and maintain a mapping database between link local layer 2 addresses and layer 3 addresses. In the common case this table is for mapping Ethernet to IP addresses. This database is called the ARP Table. The ARP Table is the true source when it comes to routing traffic on a Switch (layer 2 device).

ARP Table

Now that we have explored MAC addresses and APR Tables we need to talk about poisoning. APR Poisoning; also referred to as ARP poison routing (APR), ARP cache poisoning, and spoofing. A method of attacking an Ethernet LAN by updating the target computer's ARP cache/table with both a forged ARP request and reply packets in an effort to change the Layer 2 Ethernet MAC address (i.e., the address of the network card) to one that the attacker can monitor.

The Attack

Because the ARP replies have been forged, the target computer sends frames that were meant for the original destination to the attacker's computer first so the frames can be read. A successful APR attempt is invisible to the user. Since the end user never sees the ARP poisoning they will surf online like normal while the attacker is collecting data from the session.

The data collected can be passwords to e-mail, banking accounts, or websites. This kind of attack is also known as "Man in the Middle Attack". This kind of attack basically works like this: attackers PC sends poisoned ARP request to the gateway device (router), The gateway device now thinks the route to any PC on the subnet needs to go though the attackers PC. All hosts on the subnet thinks the attackers IP/MAC is the gateway and they send all traffic though that computer and the attacking PC forwards the data to the gateway.

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268