• 25,450
  • +1,003
  • 2,796
4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

Bookmark

Like I already said on my last tips and trick that I will write simple tutorial 4 steps to prevent man in the middle attack ARP Poisoning in LAN.

What is man in the middle attack? according to wikipedia:

In cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).

And what is ARP poisoning or ARP spoofing? according to wikipedia:

a technique whereby an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.

The man in the middle attack can happen because the attacker modified the ARP table(ARP spoofing) and change the ARP mapping to malicious attacker computer. Here I try to describe using picture(courtesy of: irongeek.com).

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

If we as a human absolutely we will know who is Alan and who is Brian by recognizing them from their face, but for our computer they depend on the ARP table network mapping (OSI layer 2 and layer 3).

<table border="1" cellpadding="1" cellspacing="1" style="width: 500px;">

Name IP Address MAC Address Alan 192.168.1.2 00-00-00-00-00-00-00-01 Brian 192.168.1.3 00-00-00-00-00-00-00-02 Cracker 192.168.1.88 00-00-00-00-00-00-00-03

table>

So if Alan want to connect to Brian, the computer will translate Brian IP address(192.168.1.3) to its MAC address 00-00-00-00-00-00-00-02. The correct way is should be like that, but because the attacker doing an ARP spoofing or ARP poisoning they will change the ARP mapping. If the network already poisoned, when Alan want to send packet to Brian, Alan will translate Brian(192.168.1.3) with MAC 00-00-00-00-00-00-00-03 and vice versa.

In this tutorial I will show you how the ARP spoofing can be happen and how to prevent it in your own computer so you will not be the victim.

The scenario for today tutorial I will use Windows 7 as victim and Kali Linux as attacker.

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN:

Before start, you can download the Static ARP changer tools to change the ARP routing automatically (128% virus free guaranteed)

Download Static ARP Changer

1. First I will show you my Windows 7 ARP table before poisoned by the attacker

arp -a

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

the red box in the picture above is victim router address and router MAC address is xx-xx-xx-5a-26-94. Victim IP address is 192.168.8.100.

Here is the attacker IP and MAC info:

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

2. When attacker doing ARP spoofing by using arpspoof and attacking the victim:

arpspoof -i eth0 -t 192.168.8.100 -r 192.168.8.8

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

Description:

-i eth0 –> attacker use the eth0 interface to perform the attack.

-t 192.168.8.100 –> attacker targeting the IP address 192.168.8.100.

-r 192.168.8.8 –> attacker will intercept the traffic between -t and -r where -r is the remote host or the router

3. When victim run the arp -a command again in his computer, the router MAC address was changed into the attacker computer.

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

that's mean every transaction the victim made will go through attacker computer first and then go to the real router. We need to protect the ARP mapping table to make the attacker cannot do this to us.

4. We need to run this command in our Windows PC

arp -s 192.168.8.8 xx-xx-xx-5a-26-94

Description:

-s –> add a static ARP table

192.168.8.8 –> your router IP address

xx-xx-xx-5a-26-94 –> your router MAC address

Note: If you get this error "The ARP entry addition failed: Access is denied."

try to run this command to know your interface name:

netsh interface show interface

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

and then run this command to add static ARP:

netsh interface ip add neighbors "Wireless Network Connection" "192.168.8.8" "xx-xx-xx-5a-26-94"

now when we run again the arp -a command, our ARP table changed to static

4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN

and when attacker run ARP spoofing again, our ARP table won't changed because we already make it static ๐Ÿ™‚

Conclusions:

1. To prevent ARP spoofing and man in the middle attack in your local area network you need to add a static ARP.

2. This trick become troublesome if your router changed frequently, so if you use this prevention method you need to delete the old one and add the new one if it changed

3. You can download and use my Static ARP routing changer to change your ARP static routing automatically

Download Static ARP Changer

hope you found it useful ๐Ÿ™‚

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Devashish

    I did all the steps as written. My gateway changes to static. However, after a couple of days I again checked it up and it was again showing as dynamic. I again repeated all the steps and it said entry already exists. However, my gateway again changed to static. Any pointers?

    • v4L

      #Devashish

      Hmm…I never meet this kind of problem…usually when you already make it static it will remain the same.

      If you have more than one network interface (e.g: LAN card, Wireless, USB Wireless, etc), you need to make it static separately,

  • Eman

    How can I revert to default settings?

    • Eman

      And it works :)… Forgot to say thanks, Thank you so much for this tutorial…

    • Mohamed

      try rebooting
      it always works ๐Ÿ™‚

  • Hosam

    The Attacker must be in the same network ?? or he could access from anywhere ?