Address resolution protocol:
•Address resolution protocol, a network layer protocol used to convert an IP address into a physical address.
•A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.
•There is also Reverse ARP (RARP) which can be used by a host to discover its IP address. In this case, the host broadcasts its physical address and a RARP server replies with the host's IP address.
•ARP stands for Address Resolution Protocol and it allows the network to translate IP addresses into MAC addresses.
Arp Poisoning Attack:
•When one host using IP on a LAN is trying to contact another it needs the MAC address of the host it is trying to contact.
•It first looks in it's ARP cache (to see your ARP cache in windows type in "arp –a" at the command line) to see if it already has the MAC address, but if not it broadcasts out an ARP request asking "Yo, who has this IP address I'm looking for?" If the host that has that IP address hears the ARP query it will respond with it's own MAC address and a conversation can begin using IP.
•In common bus networks like Ethernet using a hub all traffic can be seen by all hosts who's NICs are in promiscuous mode, but things are a bit different on switched networks.
•A switch looks at the data sent to it and tries to only forwards packets to its intended recipient based on MAC address. Switched networks are more secure and help speed up the network by only sending packets where they need to go.
•There are ways around switches though, Using a program like Arpspoof, Ettercap or Cain we can lie to other machines on the local area network and tell them we have the IP they are looking for, thus funneling their traffic through us.
Example:
•Basically, the Cracker is telling A's box that he has the IP that corresponds to B's box and vice versa. By doing this the Cracker receives all network traffic going between A and B. Once you have Arpspoofed your way between two machines you can sniff the connection with whatever tool you like (TCPDump, Ethereal, Ngrep, etc.) By arpspoofing between a machine and the LANs gateway you can see all the traffic it's sending out to the Internet.