##Overview Address Resolution Protocol (ARP) - Level 2 protocol which is used to discover link layer address (MAC), associated with a given internet layer address (IPv4 address). Works in request-response mode. ###IPv6 In IPv6 networks functionality of ARP is provided by Neighbor Discovery Protocol (NDP). ##Packet Structure ###ARP Question [Image Name 1]:https://secretnotes.space/articleimage?id=156 ![Image Name 1] First comes Ethernet data which is not an arp protocol data - DESTINATION MAC 6 bytes. ARP questions are broadcasted so DESTINATION MAC address is FF FF FF FF FF FF. - SOURCE MAC 6 bytes - TYPE. In this case ARP 08 06. 2 bytes. If Ethernet incapsulates IPv4 protocol those 2 bytes will be 08 00. For IPv6 it will be 86 DD. Next comes ARP packet. - HARDWARE TYPE. In this case ETHERNET 00 01. 2 bytes. - PROTOCOL TYPE. In this case IPv4 08 00. 2 bytes. - HARDWARE SIZE. MAC is 6 bytes long. So field will be 06. 1 byte - PROTOCOL SIZE. IPv4 is 4 bytes so field will be 04. 1 byte - OPCODE. This is a question so 00 01. 2 bytes. - SENDER MAC. F4 28 55 64 C8 25. 6 bytes. - SENDER IP. 192.168.1.1 or in hex C0 A8 01 01. 4 bytes - TARGET MAC. In this case 00 00 00 00 00 00 because it is a question. 6 bytes. - TARGET IP. In this case 192.168.1.21 or in hex c0 a8 01 15. Zeros that comes next are just padding. Length of this message is 60 bytes. This message can be interpreted as `who has 192.168.1.21 tell it to 192.168.1.1` ###Gratuitous ARP It is type of ARP question when one computer makes arp question with TARGET IP set to its own IP address (asks its own IP). Usually there are 2 reasons for using it: - To inform all other computer about obtaining IP address - To check if there are same IP addresses in local network ###ARP Answer [Image Name 2]:https://secretnotes.space/articleimage?id=154 ![Image Name 2] Ethernet data: - DESTINATION MAC 6 bytes - SOURCE MAC MAC 6 bytes - TYPE. In this case ARP 08 06. 2 bytes. Next comes ARP packet. - HARDWARE TYPE. In this case ETHERNET 00 01. 2 bytes. - PROTOCOL TYPE. In this case IPv4 08 00. 2 bytes. - HARDWARE SIZE. MAC is 6 bytes long. So field will be 06. 1 byte - PROTOCOL SIZE. IPv4 is 4 bytes so field will be 04. 1 byte - OPCODE. This is an answer so 00 02. 2 bytes. - SENDER MAC. E5 CB 45 D7 62 D5. 6 bytes. - SENDER IP. 192.168.1.21 or in hex C0 A8 01 15. 4 bytes - TARGET MAC. In this case F4 28 55 64 C8 25 because it is an answer. 6 bytes. - TARGET IP. In this case 192.168.1.1 or in hex C0 A8 01 01. This can be interpreted as `192.168.1.21 is at E5 CB 45 D7 62 D5`. ##ARP Cache After computer gets MAC address of another computer with the help of ARP question he can save this information for future use. Next time instead of making ARP request computer will take destination MAC from cache. To see ARP cache on Windows and Linux type ``` arp -a ``` There are 2 types of ARP records: - Dynamic - Static Dynamic records are made due to work of the ARP protocol. They have limited time to live and after time has passed they are deleted. On different systems this time to live is different. The idea behind it is to track changes that happened in network. Fresh information is provided by ARP protocol. Static records are created manually usually by system administrators. They are permanent and can be changed manually. ###Linux To add static record to arp table on Linux ``` --- arp -i [interface] -s [ip-address] [mac-address] --- arp -i enp0s3 -s 192.168.1.197 00:55:DF:34:54:78 ``` To remove record from arp table ``` --- arp -d [ip-address] --- arp -d 192.168.1.197 ``` After system is rebooted this record will be deleted. There is an option to make static arp record when interface goes up. For example on Ubuntu create file with random name (but no extension) in directory`/etc/network/if-up.d/`. ``` sudo touch /etc/network/if-ud.d/test ``` Contents of the file ``` #!/bin/bash arp -i enp0s3 -s 192.168.1.197 00:55:DF:34:54:78 ``` Now after rebooting system arp record will remain. ###Windows Adding static record to arp table on Windows is similar to Linux way but has slightly different syntax ``` arp -s 192.168.1.197 00-55-DF-34-54-78 ``` To create record that survives reboot we need to use PowerShell. At first get network interfaces. Run PowerShell as admin. ``` Get-NetAdapter ``` Here we can get network interface Name, Description, InterfaceIndex, MACAddress, LinkSpeed. Now add static arp record. ``` --- New-NetNeighbor -InterfaceIndex [Index] -IPAddress [IPAddress] -LinkLayerAddress [MACAddress] -State Permanent --- New-NetNeighbor -InterfaceIndex 3 -IPAddress '192.168.1.197' -LinkLayerAddress '00-55-DF-34-54-78' -State Permanent ``` We can check results with command ``` arp -a ``` To remove permanent arp record use powershell with admin rights ``` --- Remove-NetNeighbor [Ip-Address] --- Remove-NewNeighbor 192.168.1.197 ``` ##ARP Vulnerabilities ###ARP Spoofing ARP protocol does not have authentication, system can\`t figure out if arp packet came from the trusted source looking only inside the arp traffic. Attacker can do man in the middle attack putting him between user\`s machine and gateway. To the gateway attacker will send arp packet telling that he is the client\`s machine and to the client he will send arp packet telling that he is the gateway. Now traffic goes through the attacker\`device. When client makes request traffic will go at first to the attacker and then to the gateway. Response will go through the the attacker and then to the client. A lot of high-level protocols (level 7) use encryption so even if attacker can see all the traffic he can\`t decrypt it and as the result he can\`t get usefull information from it. But some protocols work in plain text (HTTP, DNS, FTP...) and in this case it is dangerous. ###ARP DOS There is functionality of making broadcast arp requests and responses. Some systems make dynamic records in arp tables according to the information from the request. To the arp table is written SENDER MAC and SENDER IP fields. So attacker can make broadcast request with the correct gateway IP address (usually 192.168.1.1 in home networks) but wrong gateway MAC address droping whole network or broadcast response (destination address FF:FF:FF:FF:FF:FF in ethernet frame) containing correct gateway ip and wrong MAC. Another thing that can work is Gratuitous ARP request with wrong MAC address. Devices in network will listen this arp request and update their cache. ###Countermeasures To stop these attacks can be used: - static arp records - software than monitors arp cache (arp table) Setting static arp records can help against arp spoofing or dos (static records are not overwritten when attacker sends arp packets) but in case of big networks with often updated hardware it may be not the best option. Some antiviruses can monitor arp table and in case of change of MAC address for IP address it can invalidate the record. Also there is software that does exactly monitoring. For example program `arpwatch` for Linux.