Welcome back, my aspiring cyber warriors!
Understanding the many network protocols can enhance your ability to gain information and access to your target. Address Resolution Protocol (or ARP as it commonly known) is used on Ethernet networks to assign IP addresses to globally unique MAC addresses. In this way, when a new system enters the network, it's MAC address is assigned a IP address within the range of IP addresses on the network. This is the method that networking devices such as gateways, routers and switches know which machine has which IP address and can route the traffic destined for that IP address ( a logical system) to the proper physical machine (MAC address).
If the attacker understands ARP, they can leverage the ARP protocol to find systems on the network and even imitate and gain access to a particular systems traffic through Man-in-the-Middle attacks.
How ARP Works
ARP uses a simple message format sent over the link layer and network layer (Layers 2 and 3 of the OSI model). This message contains one request or one response. For example, assume two computers on an Ethernet LAN. Computer 1 needs to send a packet to computer 2. Computer 1 knows that Computer 2's IP address is 192.168.1.101. To send the packet to computer 2, it needs the physical address of computer 2 or its MAC address.
Computer 1 can find the MAC address of computer 2 by doing a lookup in the ARP table. The ARP table is a mapping of known physical addresses to logical addresses (MAC to IP). If computer 1 finds the MAC address of Computer 2 in the ARP table, it goes ahead and sends the packet to the MAC address of computer 2. If it doesn't find the corresponding MAC in the ARP table, it sends out a broadcast ARP request to every computer on the network asking "Who has IP address 192.168.1.101?". Computer 2 will then send a unicast (1 to 1) response saying "I have 192.168.1.101 and my MAC address is 11:22:33:44:55:66!". Now Computer 1 can send the packet to MAC address 11:22:33:44:55:66.
The ARP Command
The arp command is found in both Windows and Linux systems. With it you can discover the contents of the arp table and even manipulate this table.
In Windows, simply enter;
> arp -a
As you can see above, the Windows operating system displays the contents of the arp table. This table contains the IP address, the Physical or MAC address and the type (either static or unchanging and dynamic or changing).
A similar command exists in Linux. Let's look at it next,
Similarly to Windows, when you enter arp -a (all), Linux displays the arp table but with out the designation of static v dynamic.
kali > sudo arp -a
When we enter arp with the -v option, Linux displays the same information in a better formatted table and includes the flags mask indicating what Class of the IP address is used.
kali > sudo arp -v
ARP Packets in Wireshark
We can view the arp packets in Wireshark by simply entering the word "arp" in the filter window like below.
When we click on a single packet, we can dissect the packet. Expanding the Address Resolution Protocol field, we can see the Sender and Target IP and MAC addresses.
How Hackers Can Use ARP for Reconnaissance
The ARP protocol has no authentication, so the hacker can easily use this "feature" to discover all the systems on a network. This can be useful when trying to hack another system on the local area network (LAN) or when you compromise a single user on the network and want to pivot to a more valuable target on the network such as a database server.
There are numerous tools the hacker can use to discover systems on the network. These tools send out a gratuitous ARP request and systems respond with there IP address and MAC. For instance, in our Kali system we have netdiscover.
To view netdiscover's help screen, simply enter;
kali > sudo netdiscover -h
As you can see above, we can use -r option to scan a range of IP addresses on a network, such as;
kali > netdiscover -r 192.168.100.0/24
As you can see above, netdiscover was able to enumerate every system on the network with it's IP address, MAC address and vendor of the network interface (NIC).
ARP Vulnerabilities and Exploitation
ARP can also be used to conduct a Man-in-the-Middle (MiTM) attack. Remember, IP addresses are assigned to physical interfaces (MAC address) via the ARP protocol. Attackers can send out gratuitous ARP requests to have their computer designated the location of the specific IP address the target is trying to reach, thereby placing themselves in the middle between the target the the intended server. This is known as arpspoofing. In this way, they can eavesdrop on the target's traffic or even alter it.
Ettercap is an easy to use arpspoofing tool for MiTM the attacks. To learn more about Ettercap, click here.
Other tools that utilize ARP for MitM attacks include;
Leveraging ARP in the Metasploit Meterpreter
The Address Resolution Protocol (ARP) can also be leveraged by the Metasploit Meterpreter to discover systems to pivot to after exploiting a single system on the network. As you know, once a single system on the network has been compromised, the attacker can use that system as a foothold in the network and then work to compromise more important systems on the network such as the file server or database server..
The meterpreter has a script and a post-exploitation module that enables the attacker to discover the other systems on the network by sending out gratuitous ARP requests on the network and waiting for the responses.
For more on Metasploit for hacking, check out my Metasploit Basics for Hackers series here.
Summary
The Address Resolution Protocol (ARP) is an essential protocol for assigning logical IP addresses to the physical MAC addresses. If the attacker understands the ARP protocol they can leverage its capabilities for reconnaissance or even conducting a Man-in-the-Middle attack.