Get started Bring yourself up to speed with our introductory content.

Microsoft network security testing for ARP spoofing

Learn how to defend your network against address resolution protocol (ARP) spoofing attacks in this excerpt from Hacking for Dummies, 2nd edition.

Hacking for Dummies This excerpt is from Chapter 9 - Network Infrastructure in "Hacking for Dummies, 2nd edition" written by Kevin Beaver and published by Wiley Publishing.

Click here to purchase the entire book.

Attackers can use address resolution protocol (ARP) running on your network to make their systems appear to be either your system or another authorized host on your network.

ARP spoofing

An excessive number of ARP requests can be a sign of an ARP spoofing attack (also called ARP poisoning) on your network.

A client running a program such as the UNIX-based dsniff or the UNIX- and Windows-based Cain and Abel can change the ARP tables -- the tables that store IP addresses to media access control (MAC) address mappings -- on network hosts. This causes the victim computers to think they need to send traffic to the attacker's computer rather than to the true destination computer when communicating on the network. This is often referred to as a Man-in-the-middle (MITM) attack.

Spoofed ARP replies can be sent to a switch very quickly, which can crash an Ethernet switch or (hopefully) make it revert to broadcast mode, which essentially turns it into a hub. When this occurs, an attacker can sniff every packet going through the switch without bothering with ARP spoofing.

This security vulnerability is inherent in how TCP/IP communications are handled.

Here's a typical ARP spoofing attack with a hacker's computer (Hacky) and two legitimate network users' computers (Joe and Bob):

  1. Hacky poisons the ARP caches of victims Joe and Bob by using dsniff, ettercap or a utility he wrote.
  2. Joe associates Hacky's MAC address with Bob's IP address.
  3. Bob associates Hacky's MAC address with Joe's IP address.
  4. Joe's traffic and Bob's traffic are sent to Hacky's IP address first.
  5. Hacky's network analyzer captures Joe's and Bob's traffic.

If Hacky is configured to act like a router and forward packets, it forwards the traffic to its original destination. The original sender and receiver never know the difference!

Using Cain and Abel for ARP poisoning

You can perform ARP poisoning on your switched Ethernet network to test your IDS/IPS or to see how easy it is to turn a switch into a hub and capture anything and everything with a network analyzer.

ARP poisoning can be hazardous to your network's hardware and health, causing downtime and more. So be careful!

Perform the following security testing steps to use Cain and Abel for ARP poisoning and improve Microsoft network security:

  1. Load Cain and Abel and click the Sniffer tab at the top to get into the network analyzer mode. It defaults to the Hosts page.
  2. Click the Start/Stop ARP icon (the yellow and black circle). This starts the ARP poison routing (how Cain and Abel refers to ARP poisoning) process and also enables the built-in sniffer.
  3. If prompted, select the network adapter in the window that displays and click OK.
  4. Click the blue + icon to add hosts to perform ARP poisoning on.
  5. On the MAC Address Scanner window that comes up, ensure the All Hosts in My Subnet option is selected and click OK.
  6. Click the ARP tab (the one with the yellow and black circle icon) at the bottom to load the APR page.
  7. Click in the white space under the uppermost Status column heading (just under the Sniffer tab). This re-enables the blue + icon.
  8. Click the blue + icon, and the New ARP Poison Routing window comes up showing the hosts discovered in Step 3 above.
  9. Select your default route (in my case, This will then fill the right-hand column with all the remaining hosts, as shown in Figure 9-20.
  10. Ctrl+click all the hosts in the right column that you want to poison.
  11. Click OK, and the ARP poisoning process starts. This process can take anywhere from a few seconds to a few minutes depending on your network hardware and each hosts' local TCP/IP stack. The results of ARP poisoning on my test network are shown in Figure 9-21.

  12. Figure 9-20: Selecting your victim hosts for ARP poisoning in Cain and Abel.

    Figure 9-21: ARP poisoning end results in Cain and Abel.

  13. You can use Cain and Abel's built-in passwords feature to capture passwords traversing the network to and from various hosts simply by clicking the Passwords tab at the bottom of the screen.

The preceding steps show how easy it is to exploit a vulnerability and prove that Ethernet switches aren't all they're cracked up to be from a security perspective.

MAC address spoofing

MAC address spoofing tricks the switch into thinking your computer is something else. You simply change your computer's MAC address and masquerade as another user.

You can use this trick to test access control systems, like your IDS, firewall, and even operating system login controls that check for specific MAC addresses.


Microsoft network security testing for ARP spoofing
Network security assessment for network infrastructure
 Part 1: Use a network analyzer to sniff the network  Part 2:  Part 3:

Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at [email protected].

Dig Deeper on Windows Server troubleshooting