Address Resolution Protocol (ARP)

introtolan wireshark

The Address Resolution Protocol (ARP) is used to find a MAC given an IPV4 address. Once found, the MAC is stored in the ARP cache.

🐊️ Port: N/A

➑️ Some systems have an ARP table on top of the ARP cache.

You can observe an ARP request by using tcpdump, and a ping on an uncached target

... request who-has <target_IP> tell <sender_IP> ...
... reply <target_IP> is-at <MAC_address> ...

⚠️ ARP packets are bound to their subnet, and they can't leave it. If a target is not found within the subnet, then the request will be sent to the gateway. The gateway will most likely either return the IP address (if cached) or repeat the same process.

There are two kind of messages:

ARP Request broadcast πŸ”Ž: A machine is asking every machine of a network is a MAC is theirs using the broadcast MAC address.

  • Mac source (requester MAC address)
  • Mac destination (ff:ff:ff:ff:ff:ff)
  • IP source (requester IP)
  • IP destination (target IP)

ARP Reply/Response πŸ§‘: if a machine found its IP in the Request, they are replying to the sender with its MAC.

  • Mac source (its MAC address)
  • Mac source (requester MAC address)
  • IP source (target IP)
  • IP destination (requester IP)

ARP vulnerabilities

  • ARP cache poisoning

πŸ‘‰ An attacker send its MAC address to usurp the identity of a legitimate IP address. ➑️ You can use static ARP tables...

  • ARP spoofing

πŸ‘‰ Similar to ARP cache poisoning, but the attacker only eavesdrops the traffic. ➑️ Use encryption/... to prevent unauthorized access to the network.

DHCP servers are used to assign an IP address to a host, and may keep track of IP addresses of DNS servers and domain names, and additional information such as default gateways/...

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • ARP snooping
  • ARP, no auth, poisoning