Like I already said on my last tips and trick that I will write simple tutorial 4 steps to prevent man in the middle attack ARP Poisoning in LAN.
What is man in the middle attack? according to wikipedia:
In cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).
And what is ARP poisoning or ARP spoofing? according to wikipedia:
a technique whereby an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.
The man in the middle attack can happen because the attacker modified the ARP table(ARP spoofing) and change the ARP mapping to malicious attacker computer. Here I try to describe using picture(courtesy of: irongeek.com).
If we as a human absolutely we will know who is Alan and who is Brian by recognizing them from their face, but for our computer they depend on the ARP table network mapping (OSI layer 2 and layer 3).
<table border="1" cellpadding="1" cellspacing="1" style="width: 500px;">
Name IP Address MAC Address Alan 192.168.1.2 00-00-00-00-00-00-00-01 Brian 192.168.1.3 00-00-00-00-00-00-00-02 Cracker 192.168.1.88 00-00-00-00-00-00-00-03
So if Alan want to connect to Brian, the computer will translate Brian IP address(192.168.1.3) to its MAC address 00-00-00-00-00-00-00-02. The correct way is should be like that, but because the attacker doing an ARP spoofing or ARP poisoning they will change the ARP mapping. If the network already poisoned, when Alan want to send packet to Brian, Alan will translate Brian(192.168.1.3) with MAC 00-00-00-00-00-00-00-03 and vice versa.
In this tutorial I will show you how the ARP spoofing can be happen and how to prevent it in your own computer so you will not be the victim.
The scenario for today tutorial I will use Windows 7 as victim and Kali Linux as attacker.
Before start, you can download the Static ARP changer tools to change the ARP routing automatically (128% virus free guaranteed)
1. First I will show you my Windows 7 ARP table before poisoned by the attacker
the red box in the picture above is victim router address and router MAC address is xx-xx-xx-5a-26-94. Victim IP address is 192.168.8.100.
Here is the attacker IP and MAC info:
2. When attacker doing ARP spoofing by using arpspoof and attacking the victim:
arpspoof -i eth0 -t 192.168.8.100 -r 192.168.8.8
-i eth0 –> attacker use the eth0 interface to perform the attack.
-t 192.168.8.100 –> attacker targeting the IP address 192.168.8.100.
-r 192.168.8.8 –> attacker will intercept the traffic between -t and -r where -r is the remote host or the router
3. When victim run the arp -a command again in his computer, the router MAC address was changed into the attacker computer.
that's mean every transaction the victim made will go through attacker computer first and then go to the real router. We need to protect the ARP mapping table to make the attacker cannot do this to us.
4. We need to run this command in our Windows PC
arp -s 192.168.8.8 xx-xx-xx-5a-26-94
-s –> add a static ARP table
192.168.8.8 –> your router IP address
xx-xx-xx-5a-26-94 –> your router MAC address
Note: If you get this error "The ARP entry addition failed: Access is denied."
try to run this command to know your interface name:
netsh interface show interface
and then run this command to add static ARP:
netsh interface ip add neighbors "Wireless Network Connection" "192.168.8.8" "xx-xx-xx-5a-26-94"
now when we run again the arp -a command, our ARP table changed to static
and when attacker run ARP spoofing again, our ARP table won't changed because we already make it static 🙂
1. To prevent ARP spoofing and man in the middle attack in your local area network you need to add a static ARP.
2. This trick become troublesome if your router changed frequently, so if you use this prevention method you need to delete the old one and add the new one if it changed
3. You can download and use my Static ARP routing changer to change your ARP static routing automatically
hope you found it useful 🙂