When carrying out ARP attacks, legal regulations must be followed, and experiments and drills can only be carried out under legal authorization.
Preliminary knowledge
An ARP attack refers to an attack behavior in which attackers use the flaws of the ARP protocol to deceive hosts in the network, thereby achieving the purpose of stealing information and hijacking network traffic.
The ARP protocol is responsible for converting the IP address of the network layer into the MAC address of the link layer, so that the data packets can be transmitted correctly in the LAN. The attacker takes advantage of the defect of the ARP protocol to send a forged ARP response packet to the host in the LAN, deceiving the host to mistake the MAC address of the attacker as the MAC address of the target host, so that the attacker can intercept, tamper, and forge the communication between hosts. communication data, or conduct other attacks such as man-in-the-middle attacks and DNS spoofing.
Specifically, the implementation process of ARP attack is as follows:
1. The attacker sends an ARP request broadcast, masquerading as the IP address of the target host to request the corresponding MAC address;
2. All hosts in the LAN will receive the ARP request, but only the target host will reply with an ARP response packet, telling the attacker its own MAC address;
3. After receiving the ARP response packet from the target host, the attacker knows the real MAC address of the target host;
4. The attacker sends a forged ARP response packet, disguises his own MAC address as the MAC address of the target host, and broadcasts it to other hosts in the LAN;
5. After other hosts in the LAN receive the forged ARP response packet, they mistake the MAC address of the attacker as the MAC address of the target host, thus allowing the attacker to intercept, tamper with, forge communication data between hosts, or conduct other aggressive behavior.
In short, ARP attacks exploit the flaws of the ARP protocol to deceive hosts in the network, thereby achieving the purpose of stealing information and hijacking network traffic.
lab environment
1.Kali-Linux-2019(VMware)
2. Other networked devices under the same network as Kali
experimental tool
Ettercap, arpspoof, etc. (arpspoof is used in this article)
Experimental procedure
1. First adjust the virtual machine Kali to bridge mode
Check virtual NIC configuration
(Just share a network card with the computer)
2. Check the IP address and gateway of the network where you are (you can use a computer or a mobile phone). I use a wireless network, so look at the WLAN
Take a look at the network card of the Kali system, which will be used later
3. Open the Kali operating system, open nmap and start scanning the surviving hosts in the LAN
fping -g any address/mask within the network
List all surviving hosts on this network segment
4. Find a victim (my own phone) and start an ARP attack
Enter the command to disconnect the network
arpspoof -i network card name -t target host ip to attack gateway of target host
You're done, press ctrl+Z to stop the attack.