MAN-IN-THE-MIDDLE

ARP POISONING ATTACK

DATA PRIVACY AND SECURITY COURSE

A.A. 2023-2024
SIMONE GUARINO
GUARINOS@LUISS.IT
ARP PROTOCOL

Suppose that A wants to send a message to C. The message is encapsulated in a TCP segment (for
example) and then in an IP datagram with the destination 222.222.222.222.
Lastly, the datagram has to be encapsulated in a frame (in order to be written on the communication
cable): but, what is the destination MAC address???
ARP PROTOCOL

• Every host has the so-called ARP table in its memory which contains mappings
of IP addresses to MAC addresses.

• But, what happens if the ARP table is empty?  ARP protocol

• The sender uses the ARP protocol to resolve the address
ARP PROTOCOL
• The purpose of the ARP query packet is to query all the other hosts on the same
network to determine the MAC address corresponding to the IP address that has to
be resolved.
• Host C encapsulates an ARP query in a datalink frame sent to broadcast
(FF:FF:FF:FF:FF:FF). In this query A asks for the MAC address of the host which
has the IP address 222.222.222.222.
• A, which has that specific IP address, responds with an ARP reply providing its own
MAC address (49-BD-D2-C7-56-2A)
ARP POISONING

• It is a well-known cyber attack which corrupts the ARP tables of the two
victims. The attacker sends to the victims ARP replies which associate the IP
addresses of the two victims to the MAC address of the attacker. In this way
the attacker can see all the traffic passing between the two victims (MAN IN
THE MIDDLE).
NORMAL CONDITION (BEFORE THE ATTACK)
BAD CONDITION (AFTER THE ATTACK)

Every packet exchanged between A and B will be actually sent to the attacker C which can see all
the non-encrypted traffic (like passwords typed on an HTTP website) and possibly modify the
payload of the packets!
INSTALL MININET AND XTERM

• Open terminal
• Run: «sudo apt-get install mininet»
• Then, run: «sudo apt-get -y install openvswitch-testcontroller»
• run: «sudo apt-get install xterm»
INSTALL MININET AND XTERM

• Run mininet python code

• Open terminals with xterm
• ifconfig to print network information (ip address and mac address)
• Ping command to verify connection and to fill ARP table
• arp -a to show arp table
Open ettercap
Run arp poisoning
During the arp poisoning, all
the icmp packets between h1
and h3 pass through the hacker