Unmasking the Shadows: A Fictional Tale of ARP Spoofing
Attack Scenario:
SecurityWithBlue is a fictional cybersecurity company with thousands of employees. An attacker has gained unauthorized entry into its premises and has connected their laptop to an unused port on a switch. The attacker now has access to the company’s internal networks. Within the internal network, there is a central server where critical proprietary data is stored. The story unfolds as SecurityWithBlue cybersecurity team detects the unusual activity and launches an investigation. With the help of cybersecurity experts, they quickly identify the ARP spoofing attack/Cache Poisoning and implement countermeasures to protect their network.
How team of SecurityWithBlue analyze the attack using Wireshark is given below.
What is MITM Attack and ARP Cache Poisoning?
Man in the Middle Attack is a form of cyberattack in which criminals exploiting weak web-based protocols insert themselves between entities in a communication channel to steal data.
None of the parties sending email, texting, or chatting on a video call are aware that an attacker has inserted their presence into the conversation and that the attacker is stealing their data.
ARP Cache Poisoning
The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a media access control (MAC) address, associated with a given internet layer address. The ARP is important because it translates the link layer address to the Internet Protocol (IP) address on the local network.
In this scheme, the victim’s computer is tricked with false information from the cybercriminal into thinking that the fraudster’s computer is the network gateway. As such, the victim’s computer, once connected to the network, essentially sends all of its network traffic to the malicious actor instead of through the real network gateway. The attacker then utilizes this diverted traffic to analyze and steal all the information they need, such as personally identifiable information (PII) stored in the browser.
Analyzing an ARP spoofing attack using Wireshark involves looking for unusual ARP patterns and identifying mismatched ARP information.
First of all we analyze the Arp request packets by using the following filter. This filter acts like a sieve, allowing only ARP request packets to pass through and excluding all other types of network traffic from your capture.
As we have given with only request and only one IP address is looking for MAC addresses of other IP’s using Arp request so we can consider 192.168.56.111 as the attacker.
Now we will filter traffic for Arp replies using the following filter in Wireshark. Allowing only ARP reply to packets to be captured and excluding all other types of network traffic, including ARP requests and other protocols.
In the above figure we have given with only replies and they responding to request for MAC address.
Filter for ARP Replies with Different MAC Addresses:
This filter captures ARP reply packets where the source MAC address in the Ethernet header is different from the source MAC address in the ARP payload. This could be a sign of potential proxy ARP or other manipulation of the source MAC address, which can be used in ARP spoofing attacks.
Now there is one more filter Filter for ARP Requests with Different Sender IP and MAC is used to analyze is there any anomoly in traffic.
Identifying ARP requests targeting the broadcast address:
This filter captures ARP request packets specifically targeting the broadcast MAC address. While not necessarily malicious, a high frequency of such requests from a specific device might indicate a misconfiguration or potential attack attempts.
IIP masqueradding:
A device on the network sends an ARP request, asking, “Who has the IP address 192.168.56.111?” as shown destination address is 192.168.56.111 and this ARP request is broadcast to all devices on the local network The attacker (with IP 192.168.56.103) responds to the ARP request, saying, “I have the IP address 192.168.56.111, and my MAC address is [08:00:27:10:b8:d0].”
The attacker is essentially pretending to be the legitimate device with the IP 192.168.56.111 represents a classic ARP spoofing (or ARP poisoning) attack where the attacker tries to mislead other devices on the network by providing false ARP responses.
Conclusion:
As in the above writings we have analyzed the ARP Spoofing/ARP poisoning attack using the Wireshark where attacker IP 192.168.56.111 was poisoning the ARP cache and traffic destined for different IP was passing through the attacker IP.
