ARP Spoof

2010-08-23T00:00:00
ID SAINT:9EF6CF7E766B7418D0E48DB1040B6A8D
Type saint
Reporter SAINT Corporation
Modified 2010-08-23T00:00:00

Description

Added: 08/23/2010

Background

The Address Resolution Protocol (ARP) is used to resolve IP addresses into the hardware addresses which are used for delivering packets on a local network.

Problem

It is possible to send a computer a forged ARP reply, which is then stored in that computer's cache. This can allow legitimate traffic from that computer to be delivered to an attacker instead of the intended target. This attack is known as ARP Spoofing or ARP Poisoning.

This tool uses ARP Spoofing to conduct a man-in-the-middle attack and capture packets being sent to and from a target.

Resolution

Enable Port Security (also known as MAC Binding) on the network switch.

References

<http://www.rootsecure.net/content/downloads/pdf/arp_spoofing_intro.pdf>

Limitations

This exploit tool requires you to specify the destination host, which is the host you want to impersonate from the target's point of view. The destination host should be a host with which the target frequently communicates, such as its default gateway or its mail server.

Both the target and destination host must be on the same local network as SAINTexploit.

Caution! Incorrect use of this tool could lead to denial of service.

This tool is only supported in Linux, Mac OS, and FreeBSD versions of SAINTexploit.

This tool only captures what is sent over the network. No decryption or protocol analysis is done.

The target host may temporarily lose connectivity to the destination host when this tool is terminated.