Performing and Detecting an ARP Cache Poisoning Attack

Solidify your understanding of the data-link layer (OSI Layer 2) at this hands-on workshop that will walk you through the process of performing a classic ARP spoofing attack, a fundamental NetSec technique that is still used in many real-life hacking scenarios today.

Before there was “The Internet,” there was Ethernet. First developed in the mid 1970’s, Ethernet takes its name from the erroneous belief first postulated in the late 19^th century that an omnipresent yet invisible material known as “ether” permeated everything and everyone. Today, in a kind of self-fulfilling prophecy, ethernet is the near-ubiquitous link-layer networking technology that underpins almost every modern telecommunications network.

By examining Ethernet network frames, we will see how Internet communications, such as data sent to one IP address or another, is carried from one physical device to another, thus traversing “the ether.” This process is facilitated by the Address Resolution Protocol (ARP), a simple mechanism that maps IP addresses to hardware device addresses. But ARP has a fundamental flaw: its own messages cannot be authenticated.

This lack of authentication can be exploited for both legitimate and illegitmate purposes, allowing for increased resiliency, or enabling a malicious attacker to pretend to be someone that they are not. In this latter case, an attacker can perform network-based Denial-of-Service (DOS) or Machine-in-the-Middle (MITM) attacks regardless of whether or not some higher-level encryption (like Wi-Fi passwords) is used. By performing what is known as an ARP cache poisoning attack, attackers are able to masquerade as any other device on “the ethernet.” This session will demonstrate how this attack works and what you can do to detect, prevent, and remediate such attacks on your networks.