APR (ARP Poison Routing) is a main feature of the program. It enables sniffing on switched networks and the hijacking of IP traffic between hosts. The name "ARP Poison Routing" derives from the two steps needed to perform such unusual network sniffing: an ARP Poison Attack and routing packets to the correct destination.
This kind of attack is based on the manipulation of host's ARP caches. On an Ethernet/IP network when two hosts want to communicate to each other they must know each others MAC addresses. The source host looks at its ARP table to see if there is a MAC address corresponding to the destination host IP address. If not, it broadcasts an ARP Request to the entire network asking the MAC of the destination host. Because this packet is sent in broadcast it will reach every host in a subnet however only the host with the IP address specified in the request will reply its MAC to the source host. On the contrary if the ARP-IP entry for the destination host is already present in the ARP cache of the source host, that entry will be used without generating ARP traffic.
Q: Now what happens if the source host has in its ARP cache an incorrect MAC address associated to the IP address of the destination host ?
A: Simple, it will start the communication with the destination host using the incorrect MAC address in Ethernet frames.
Q: And what happens if that incorrect MAC address corresponds to the MAC address of our network sniffer ?
A: The traffic will reach our sniffer even if every host is connected to a network switch forwarding frames on port basis.
Q: How can someone change the addresses contained in host's ARP caches ?
A: The Address Resolution Protocol (ARP) is a stateless protocol that does not require authentication so a simple ARP Reply packet sent to an host can force an update in its ARP cache.
Q: Can I use this kind of attack on the Internet ?
A: No. ARP protocol does not cross routers or VLANs so ARP Poison attacks are useless outside Level2 "Broadcast Domains".
Manipulating ARP caches of two hosts, it is possible to change the normal direction of traffic between them. This kind of traffic hijacking is the result of an ARP Poison attack and also a prerequisite to achieve a "Man-in-the-Middle" condition between victim hosts. The term Main-in-the-Middle refers to the fact that the traffic between hosts follows an obligated path through something before reaching the desired destination.
Now suppose that you successfully setup an ARP Poison attack between two hosts to intercept their network traffic. To do so you had specified the sniffer MAC address in ARP Poison packets and now you are forcing the two hosts to communicate through your computer.
In this situation the sniffer receives packets that are directed to its MAC address but not to its IP address so the protocol stack discards these packets causing a Denial of Service between the hosts. To avoid such problems the sniffer must be able to re-route poisoned packets to the correct destination. (You can't capture any password if hosts cannot communicate)
In order to re-route poisoned packets to the correct destination, the program must know each IP-MAC association of victim hosts. This is why the user is asked to scan for MAC addresses first.
This feature needs the configuration of some parameters that can be set from the configuration dialog. It is possible to specify a spoofed MAC and IP addresses to be used in ARP Poison packets; this makes it very difficult to trace back to the origin of the attack because attacker's real addresses are never sent across the network. On switched networks, the attack is also a stealth one from a central point of view because Cain's APR uses Unicast Ethernet destination addresses in ARP Poison packets; these packets will be routed by switches accordingly to their CAM tables and never sent in broadcast.
Victim hosts can be selected from the APR Tab using the + button in the toolbar:
The meaning of this selection is: "I want to hijack all IP traffic that flows from host 192.168.0.1 and host 192.168.0.10 in each direction so that my workstation will be in a Man-in-the-Middle condition between them". In this way the program is configured to perform an ARP Poison attack directed to the selected hosts and at the same time the association needed to re-route poisoned packets is created. Cain's APR has been developed to handle attacks on multiple hosts at the same time so you can choose in the right list a pool of addresses.
The attack can now be enabled/disabled using the relative toolbar button; a separate thread will take care of sending ARP Poison packets at regular intervals as specified in the configuration dialog.
You can monitor the traffic activity from the two views under the APR sub TAB. The upper view (LAN View) shows the number of re-routed packets between poisoned hosts and also the routing direction of the packets. It can happen that for some reason (static ARP entries for example) the attack is successful for one host only; in this case you will see the number of re-routed packets rising for one direction only meaning that the sniffer is processing half of the traffic expected.
The lower view (WAN View) shows the number of re-routed packets directed to or coming from an IP address which is external to the current subnet. If one of the two hosts is a router it is possible that Cain's APR will process WAN traffic too; in this case the lower list will be automatically populated with associations for WAN traffic.
When poisoning a router the following considerations arise:
- If you setup APR to hijack IP traffic between an internal host and its default gateway you will automatically intercept traffic from that host and all other hosts present in external networks connected by that gateway.
- When APR receives a packet originated from an internal host and directed to an IP address which is external to the current subnet it must re-route that packet to the correct gateway which is unknown.
The destination IP address present in the packet is the one of an external host and the destination Ethernet address is our sniffer MAC address..... the question arises as to where to re-route this packet if there are multiple exit point (gateways) in our LAN ? The packet could be sent in broadcast but this works only with routers, I checked that Checkpoint Firewalls for example discards packets directed to Unicast IP addresses encapsulated in frames with broadcast MAC addresses. This problem has been mitigated in the current version in this way: when APR does not know where to re-route packets it will use the best route found in the local operating system's route table.
If your LAN uses asymmetric routing you can modify the local route table using the Route Table Manager to avoid the above problem.
- Poisoning the subnet's default gateway with all other hosts in the LAN can cause traffic bottlenecks because APR does not have the same performance of an high speed router.
- Default gateways addresses are usually virtual addresses generated by HSRP or VRRP routing protocols. Consider if you are poisoning a normal host and the default gateway virtual address...
In this case a packet originated outside the local network and directed to an internal host will reach the sniffer but this packet could contain the real MAC address of the active HSRP / VRRP host as Ethernet source address. Because this source MAC address is not the one you setup in the APR list, the packet will not be re-routed by APR causing DoS. When you want to poison HSRP / VRRP virtual addresses you have to poison also real addresses of HSRP/ VRRP members.
Each entry present in the WAN list can reach the following status:
- Broadcasting: This state means that APR received a packet from a host that resides on a different network and directed to an IP address of your broadcast domain. That packet must be routed by APR but the correct destination MAC address is not present in the host list. In this situation APR will broadcast that packet to all hosts in your LAN.
- Half-Routing: This state means that APR is routing the traffic correctly but only in one direction (ex: Client->Server or Server->Client). This can happen if one of the two hosts cannot be poisoned or if asymmetric routing is used on the LAN. In this state the sniffer looses all packets in an entire direction so it cannot grab authentications that use a challenge-response mechanism.
- Full-Routing: This state means that the IP traffic between two hosts has been completely hijacked and APR is working in FULL-DUPLEX. (e.g.: Server<->Client). The sniffer will grab authentication information accordingly to the filters set.
Where is the rest of the traffic if FULL-Routing is not reached ? Probably the immune host still uses the correct destination MAC address to reach the other host and its traffic does not flow through the sniffer machine. The same situation can happens if you are poisoning an HSRP Virtual address (usually a default gateway address) with a normal host in your LAN.