ARP, MAC, Poisoning, and WiFi Security
In this article we cover the basics on Address Resolution Protocol (ARP), Media
Access Control Addresses (MAC), Wireless (WiFi), and layer 2 communications. I
explain how a 'Man in the Middle Attack' works. The common name for this is ARP poisoning,
MAC poisoning, or Spoofing.
Before we can get into how the poisoning works we need to learn about how the OSI
model works and what happens at layer 2 of the OSI Model. To keep this basic we will
only scratch the surface on the OSI model to get the idea of how protocols work and
communicate with each other.
The OSI Model
The OSI (open Systems interconnection) model was developed by the International Standards
Organization (ISO) in 1984 in an attempt to provide some standard to the way networking
should work. It is a theoretical layered model in which the notion of networking is divided
into several layers, each of which defines specific functions and/or features.
However this model is only general guidelines for developing usable network
interfaces and protocols. Sometimes it may become very difficult to distinguish between
each layer as some vendors do not adhere to the model completely. Despite all this the
OSI model has earned the honor of being "the model" upon which all good network
protocols are based.
The OSI Model is based upon 7 layers (Application layer, Presentation Layer, Session
Layer, Transport Layer, Network Layer, Data Link Layer and the Physical layer). For our
proposes we will review layer 2 (data link layer), Data Link layer defines the format of
data on the network.
A network data frame, aka packet, includes checksum, source and destination address,
and data. The data link layer handles the physical and logical connections to the packet's
destination, using a network interface.
A host connected to an Ethernet network would have an Ethernet interface (NIC) to handle
connections to the outside world, and a loop back interface to send packets to itself.
Ethernet addressing uses a unique, 48-bit address called its Ethernet address or Media
Access Control (MAC) address. MAC addresses are usually represented as six colon-separated
pairs of hex digits, e.g., 8A:0B:20:11:AC:85. This number is unique and is associated with a
particular Ethernet device.
The data link layer's protocol-specific header specifies the MAC address of the packet's
source and destination. When a packet is sent to all hosts (broadcast), a special MAC
address (ff:ff:ff:ff:ff:ff) is used. Now with this concept covered we need to explain what
APR is and how is corresponds to the MAC address.
The Address Resolution Protocol is used to dynamically discover the mapping between a
layer 3 (protocol) and a layer 2 (hardware) address. ARP is used to dynamically build and
maintain a mapping database between link local layer 2 addresses and layer 3 addresses.
In the common case this table is for mapping Ethernet to IP addresses. This database is
called the ARP Table. The ARP Table is the true source when it comes to routing traffic
on a Switch (layer 2 device).
Now that we have explored MAC addresses and APR Tables we need to talk about poisoning.
APR Poisoning; also referred to as ARP poison routing (APR), ARP cache poisoning, and
spoofing. A method of attacking an Ethernet LAN by updating the target computer's ARP
cache/table with both a forged ARP request and reply packets in an effort to change the
Layer 2 Ethernet MAC address (i.e., the address of the network card) to one that the attacker can monitor.
Because the ARP replies have been forged, the target computer sends frames that were
meant for the original destination to the attacker's computer first so the frames can be
read. A successful APR attempt is invisible to the user. Since the end user never sees the
ARP poisoning they will surf online like normal while the attacker is collecting data from the session.
The data collected can be passwords to e-mail, banking accounts, or websites. This
kind of attack is also known as "Man in the Middle Attack". This kind of attack basically
works like this: attackers PC sends poisoned ARP request to the gateway device (router),
The gateway device now thinks the route to any PC on the subnet needs to go though the
attackers PC. All hosts on the subnet thinks the attackers IP/MAC is the gateway and they
send all traffic though that computer and the attacking PC forwards the data to the gateway.