Understanding ARP Vulnerabilities and Attack Scenarios: A Case Study on ARP Spoofing and Man-in-the-Middle Attacks

Saurav ChapagainSaurav Chapagain
3 min read

Table of contents

  • On the left side is a virtual machine with IP address 192.168.2.21 and on the right side is the host machine with IP address 192.168.2.17

  • Initially, it does not reply to the ping command

  • We will configure the firewall rules to permit ICMP traffic, which is necessary for ping operations to function properly. This will ensure that ICMP echo requests and replies are allowed through.

  • After allowing it, we can see the ping reply

The MAC address 08-00-27-f5-e7-df is the mac address of our virtual host machine, and if we check ARP table of our guest machine it is shown below.

  • Now, we will see a sample of ARP packet capture in Wireshark

  • Here in the picture above, sender 192.168.2.17 is asking who has the MAC address of 192.168.2.17 and tells 192.168.2.1

So, how to distinguish ARP packets during a packet capture?

  • Firstly, we must apply an ARP filter in the Wireshark application itself. Based on the captured packet it will show us the relevant result, and the output will be as below:

When a device wants to communicate with another device on the same LAN, it sends an ARP Request as a broadcast packet to all devices in the network. This request asks, 'Who has this IP address?' The device with the matching IP address then replies with an ARP Reply, which includes its MAC address. The requesting device stores the MAC address in its ARP cache (lookup table) for future communication.

To generate ARP requests from the virtual machine to the host machine, we will initiate an ICMP request by sending a ping command from the host to the virtual machine. This will trigger the virtual machine to send an ARP request in the network to resolve the MAC address corresponding to the IP address of the host machine.

  • It will first check if an ARP table entry exists for 192.168.2.21. If no entry is found, it will prompt the user to provide the MAC address for 192.168.2.21. Once the MAC address is obtained, it will be added to the ARP table for 192.168.2.1, as shown in the last two lines of the output.

  • In the last line, we can observe the MAC address of my physical machine (Host Machine) and IP address.

  • We can also check the ARP entry in both of our machines, the first one is shown in the first picture and the second one in the second picture.

Every computer maintains an ARP table and uses this table to communicate on the network.

Why ARP can be vulnerable to attacks, given the above experience.

ARP (Address Resolution Protocol) is used to map an IP address to a MAC address within a local area network (LAN). The MAC address, also called the physical address, is used for direct communication between devices on the same network.

Initially, we saw the process of ARP broadcasts, ARP replies, and how they update the ARP table. However, ARP lacks a mechanism to verify the authenticity of the reply packets. This makes the ARP table vulnerable to spoofing attacks. An attacker can use a spoofing tool to intercept an ARP request from a target machine and send a fraudulent ARP reply with their own MAC address. As a result, the victim’s ARP table is updated to associate the target IP with the attacker's MAC address.

This allows the attacker to position themselves as a Man-in-the-Middle (MitM). From this vantage point, the attacker can intercept, read, or modify communication between devices. The attacker can also block or alter messages, leading to data theft or disruption in communication.

Additionally, the attacker can flood the network with a large number of ARP requests, causing network congestion and denial of service (DoS). This can degrade network performance and availability, further disrupting the target's operations.

0
Subscribe to my newsletter

Read articles from Saurav Chapagain directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Wireshark#cybersecurity

Written by

Saurav Chapagain
Saurav Chapagain

am a Cybersecurity and Cloud Support Professional with over 9 years of experience in securing IT infrastructure, managing cloud environments, and ensuring compliance with industry standards. My expertise spans security operations, incident response, vulnerability management, and cloud infrastructure management across AWS and Azure platforms. Throughout my career, I’ve successfully: Reduced unauthorized access attempts by 40% through IAM best practices and security hardening. Improved incident response times by 30% by implementing automated SIEM alert triaging systems. Conducted security audits and vulnerability assessments to ensure compliance with HIPAA, HiTrust, and SOC 2 standards. Managed hybrid cloud environments, optimizing security policies and reducing attack surfaces by 50%. I hold two Post Graduate Certificates in Cloud Architecture & Administration (Seneca Polytechnic) and Cybersecurity (Canadore College), along with certifications such as ISC2 Cybersecurity, CompTIA Security+, and Red Hat Certified System Administrator (RHCSA). My technical skills include expertise in tools like Microsoft Sentinel, Splunk, Palo Alto, and scripting with PowerShell and Bash. I am passionate about leveraging my skills to protect organizations from cyber threats and ensure the integrity of their systems and data. I thrive in collaborative environments, working with cross-functional teams to deliver secure and reliable IT solutions. Let’s connect and discuss how I can contribute to your organization’s IT operation and cybersecurity goals!