Sunday, September 22, 2013

ARP, the mystery protocol that makes a LAN work

Address Resolution Protocol

Usually, ARP just works and most people are blissfully unaware of it, but once in a while, I run into a problem.

ARP is the mystery protocol that makes a LAN work.  When a host wants to talk to another host on a LAN, it sends out a Who Has w.x.y.z message and gets an I Am reply. After that the system knows how to talk to each other using their MAC addresses and the LAN switch knows how to route the packets between the two hosts. 

Fail Over of Servers

This is all very nice when you are running an ordinary LAN, but the wheels tend to fall off when you run a system with redundancy and fail over.

What happens in a fail over case, is that some devices will remember the old connection and will refuse to talk to the backup host, because while the backup host has the same IP address as the now defunct host, its MAC address is different. The entries in the ARP table can take a very long time to time out, more than 8 minutes in most Linux systems.

The solution is to force an ARP table update in hosts on the LAN, using the arping command:
$ arping -A -c 1 -I em0

The above example will send an unsolicited I Am reply to device on the LAN. Read man arping for more details. (Some devices will respond to a request and some to an answer, so the best strategy is to send both to each device that you need to update, using the -U for one command and -A for the other.)

You can verify what is happening using tcpdump:
# tcpdump -lni em0 arp 

This is known as a gratuitous or unsolicited ARP to update a neighbour's cache.


Another problem arises when a backup system causes a LAN loop. 

Broadcasted ARP messages will get stuck in the loop and will clog up the LAN after a little while. The spanning tree protocol was devised to control ethernet switches and prevent loops, but in my experience it never works the way I want, so the best solution is to avoid making loops in the first place, rather than try to fix it using spanning tree.

ARP Poisoning

One of the myths surrounding a switched environment is that it prevents packet sniffing. It only makes it a little more awkward. Anyone can put their network card into promiscuous mode and capture packets between other hosts, by using ARP Spoofing. All you need is Ettercap.

ARP Cache

ARP is the Address Resolution Protocol. It is used to translate IP Addresses to MAC Addresses (Physical Address). A computer sends a query out to its broadcast domain asking who has a certain IP address. When the device at the IP address receives the packet it replies with its MAC Address and the requesting computer will log the response in its ARP cache. 

The ARP cache can be viewed by typing arp –a from the command-line:
Interface: --- 0x5
Internet Address Physical Address Type 00-0b-cd-ef-2c-ff dynamic 00-0e-7f-ef-b5-8d dynamic

ARP Spoofing

How ARP Spoofing works is by an attacker PC sending out fake ARP responses to victim PC’s stating that they are someone else, the victim PC then updates their ARP cache to direct traffic to the attacker. The attacker will log, read, or modify the packets and then forward them to the destination.

This can be done using arping as discussed above, or one can use EttercapEttercap provides a GUI which can be launched from the command-line using ettercap –G or it can be run from the command-line entirely.

Basic Sniffing

To watch traffic passing by on the network use:
# ettercap –Tzq –i eth0

This will put ettercap into text mode, it will not ARP scan the network and will be quiet. Only interesting traffic will be displayed as it passes and it will listen on interface eth0 (or em1 or wlan0... use ifconfig to see what is available).

Man In The Middle Attack 

To sniff traffic between 2 hosts the attacker can run the following command from his Linux work station:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/

The –i switch is telling ettercap to use a specific interface, in this case eth0, the –T switch is telling ettercap to use the Text interface and the –M switch is telling ettercap to use the Man-in-Middle-Mode (MITM).

Sniffing Multiple Hosts 

Multiple hosts can be sniffed with a command such as:
# ettercap –i eth0 –T –M arp / / /

If traffic to a certain port only, such as Telnet need to be captured the command would look like:
# ettercap –i eth0 –T –M arp / / /

Sniffing All Hosts

To sniff traffic between all hosts on a small network:
# ettercap –T –M arp // //

Depending on the size of the network, this may cause dropped packets and performance issues and an angry IT person may eventually sneak up and hit you with an ugly stick.


  • Sniffing HTTPS
  • Collecting usernames and passwords
  • Injecting traffic
  • OS fingerprinting

Logging The Output

 To log the output of Ettercap you can use the following:
  • -L This will log both the packet detail (filename.ecp) and the info (filename.eci)
  • -l This will log only info (filename.eci)
  • -w Write output to a pcap file (viewable with Wireshark)

The syntax to log the output would be:
# ettercap –T –L filename –qM arp /ip_address_A/ /ip_address_B/

Other useful options:
  • -P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
  • -c Compress the output (gzip)

Viewing The Output

The output from ettercap is a standard pcap file and can be viewed using etterlog, tcpdump, wireshark, or sent directly to the screen.

Using Ettercap for Fun and Profit

Ettercap can be used to perform MITM attacks and capture traffic between 2 hosts, just like the good folks at the NSA and GCHQ like to do.

Obviously this traffic can be parsed for useful information using grep.

You could run dsniff on the same PC and LAN card to run the traffic through that.

You could run driftnet to view any pictures that are passing the interface, or you could send the visited URL’s to your browser to see what other LAN users are doing and pretty soon, you will feel like a veritable Eddy Snowden.


Note that the ettercap syntax differs slightly from version to version.

To MITM someone you may need either:
# ettercap -i eth0 –T –M arp /victim_ip_A/ /victim_ip_B/
# ettercap -i eth0 –T –M arp /victim_ip_A/port/ /victim_ip_B/port/

or to MITM everybody:
# ettercap -i eth0 –T –M arp // //
# ettercap -i eth0 –T –M arp /// ///

Thanks to Mohammad Aamir, who spotted a mistake.

Have fun!


No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.