Packets

The internet is fundamentally structured to facilitate the rapid transfer of information. Regardless of its complexity, all data is decomposed into packets.

That’s the crux of it: countless packets.

These packets can be intricate and tedious. For this discussion, we’ll focus solely on the key fields:

• Destination MAC Address: This is the physical address of the Network Interface Card (NIC) that sends the packet. It's important to note that a single machine can possess multiple MAC addresses, both physical and virtual. Ultimately, MAC addresses are primarily relevant for locating a device within a Directly Connected Network—essentially your local network, where routers utilize MAC addresses to direct traffic.
• Source MAC Address: This represents the NIC that created and dispatched the packet.
• Destination IP Address: A numerical identifier (32 bits for IPv4 or 128 bits for IPv6) indicating the network of the target computer. Once the packet reaches that network, routers deliver it using the destination MAC address.
• Source IP Address: This is the IP address of the machine that generated and sent the packet.

For an in-depth understanding, the Internet Assigned Numbers Authority (IANA) allocates internet resources to five Regional Internet Registries (RIRs), which are responsible for different geographic areas. These RIRs further assign resources to Local Internet Registries (LIRs), commonly known as Internet Service Providers (ISPs), who in turn distribute them to businesses and individuals. More information can be found in RFC 7020.

ARP and ARP Tables

The Address Resolution Protocol (ARP) is the foundational protocol that enables devices on a network to communicate with one another. ARP guarantees that packets reach their intended destination, even when only the host's IP address or MAC address is known, but not both.

It maintains a digital registry of the various hosts in a network, showcasing the current mapping of IP addresses to MAC addresses. This data structure is known as an ARP table or ARP cache.

The method by which ARP tables are populated is inherently vulnerable to a straightforward attack known as ARP Poisoning.

ARP Poisoning Methodology

I firmly believe in grasping the underlying methodology rather than merely following a strict set of commands that lack context. Therefore, I’ll share some current tools that could inspire you to devise alternative methods to achieve your objectives.

• Access: First and foremost, you need access to the network. This doesn’t necessarily have to be physical; you require access through a shell on a machine that can directly connect.
• Intelligence: With access secured, you’ll need extensive information about the network you’re targeting. Gather as much intelligence as possible; you can never have too much. A suggested approach is to start with quick tools to establish a working model, gather initial information, and begin manual enumeration on endpoints. Concurrently, you can run slower brute-force and fuzzing processes while you manually investigate. Always remember: speed equals noise.
• ARP Poisoning Phase One: Begin broadcasting ARP messages or wait for requests to be sent. Your objective is to populate the ARP cache entries of the target machines with your IP address, tricking them into thinking you are the router. Useful tools include dsniff, Wireshark, ettercap, Arpspoof, and Driftnet.
• Chain Your Attacks: At this stage, stay focused on your goals. Whether you seek a shell for penetration testing or a bug bounty, your objectives should guide your methodology. If your activities fall within the scope of pentesting and phishing, monitor the sites accessed by specific machines to tailor your social engineering and spear-phishing strategies. If you’re after bounties, adapt accordingly and ensure you get compensated. If you aim to simply collect packets, proceed as you wish. Tools like Wireshark, ettercap, MITM proxy, and urlsniff can be beneficial here.
• Clean Up: This phase is crucial. If you fail to restore valid values to the ARP tables after your activities, the poisoned machines will lose internet access. The worst-case scenario is losing your foothold in the network, raising suspicions with the IT team. Use your tools judiciously to exit gracefully. Arpspoof can assist with automatic cleanup.
• Process Data: While beyond the scope of this article, I will mention that data can provide new and often unexpected insights.

A Brief Interlude

Before wrapping up, I want to share information about a Cloud Storage Provider called Sync. They offer exceptional plans, including unlimited cloud storage at competitive prices. If storage is a concern for your personal projects or business needs, consider exploring this affiliate link below. It helps me create higher-quality content while saving you time in your search for reliable cloud storage solutions.

Sync — Cloud Storage Done Right

Conclusion

ARP spoofing is a valuable introduction to some of the intricate mechanisms and protocols we must understand to gain access to networks and earn rewards. It’s essential to learn this material to improve your skills, and there’s no better time than now to start. However, remember that you don’t have to learn everything at once. If you can grasp it all within a few weeks, great; but many find it challenging due to its tedious nature.

Please Read Below

Content Creation / Opportunities — I, along with Digital Jailbreak, am available for commercial content creation requests. We would be thrilled to help you produce high-quality content at a reasonable price. Feel free to drop me a private note, and I will respond promptly.

A note to non-members: Medium is an incredible platform filled with valuable information for everyone. Consider subscribing; it supports content creators and benefits you significantly.

Sources:

This video explains how ARP poisoning works as a form of a Man-in-the-Middle attack, showcasing the vulnerabilities that can be exploited.

In this video, John Strand