Over an Ethernet, data is transferred using frames containing Source and Destination MAC addresses. The Destination Mac address is identified by sending ARP Request
A Machine upon ARP Reply Packet, (irrespective of whether ARP Req sent or not)
Machine updates ARP Cache (Mapping of IP to MAC Addr)
So If victim host receives a ARP Reply packet containing valid destination ip (A router/server etc) and attackers MAC Address… hoila…victims machines has been Poisoned.
Now you are free to perform
- MIM – Man in the Middle Attack
- Broadcasting – set the destination MAC to ff:ff:ff:ff:ff:ff. On a switched network, you will receive the packets sent by the victim.
- DOS – set the destination MAC to invalid MAC. Packets are dropped.
- Hijacking – After the victim is connected to server (via telnet), perform MIM to hijack the session
- Cloning – DOS the victim machine àSpoof your own MAC and IP as victims machine à Receive all his packets.
ARPOISON – Create ARP Replies
– WinArpSpoofer is a program to manipulate the ARP table of another computer on a LAN. Especially, by changing the ARP table of a router, this program can in effect pull all packets on the local area network. After pulling and collecting all packets, this has a function that can forward them to the router (gateway). If you run this program and any sniffer program, you can even get and see all user IDs/passwords on the switch network
“Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. ”
root@~]# ettercap -T -q -M arp /192.168.4-9/ -w output.packets
-T text mode
-q don’t print raw packet dumps
-M man in the middle (use arp as opposed to icmp redirection, so we specify a type)
/target/ of the form /126.96.36.199/ or /188.8.131.52-255/
-w output.packets write all data to a pcap file