Answer: An attacker node sends ARP Reply to a victim with a fake identity and corrupts the victim's ARP cache. Next time, when the victim wants to send data to other nodes, packets are received by the attackermode. It can then copy or modify data and forward packet to the target nodes.
2. How does ARP Spoofing work?
Answer: It takes several steps. The key is attacker sending an ARP Reply with fake identity.
1) In a 3-node LAN, node A wants to send packets to node B, but does not know B's MAC. A sends a broadcast ARP Request to find B's MAC.
2) The attacker node C receives ARP Request and saves A's (IP, MAC) in its ARP cache.
3) When B wants to send a packet to A, it first sends a broadcasting ARP Request to find A's MAC.
4) Attacker receives this ARP Request and stores B's (IP, MAC) in its ARP cache.
5) Now the attacker knows both A and B's addresses. It sends an ARP Reply to B with fake identities: Source IP is IP_A, Source MAC is MAC_C. C is telling B: I am A, my MAC is MAC_C.
6) B trusts ARP Reply it received and changes its ARP cache entry (IP_A, MAC_A) to (IP_A, MAC_C).
7) When B wants to send packets to A, it encapsulates the packet.
A. Use IP_A for the network destination address.
B. Use MAC_C for its link destination MAC.
As a result, the packet is received by C, not A.
8) When the attacker receives packets, it can store data then send to A, or modify data before forwarding them to A. This change is transparent to A and B. They are unaware of what has been done by the attacker.
3. Why ARP Spoofing?
Answer: There is an advantage to learn or modify other people's data. For example, military spies, financial transactions. ARP is loosely managed protocol used in LAN, a broadcasting media. It is almost certain that someone soon figure out how to use AR to spoil data..
This article is the FAQ part of an interactive simulation. To play this simulation interactively, click external links listed below.
ARP Spoofing decoded (Listen to ARP Request, fool with ARP Reply, visualized by a simulation)
