How Hackers Use Address Resolution Protocol to Penetrate Networks

By Kevin Beaver

Hackers can use ARP (Address Resolution Protocol) running on your network to make their systems appear as your system or another authorized host on your network. Keep this in mind while developing your security countermeasures.

ARP spoofing

An excessive number of ARP requests can be a sign of an ARP spoofing attack on your network.

A client running a program, such as dsniff or Cain & Abel, can change the ARP tables — the tables that store IP addresses to media access control address mappings — on network hosts. This causes the victim computers to think they need to send traffic to the attacker’s computer rather than to the true destination computer when communicating on the network.

Spoofed ARP replies can be sent to a switch, which reverts the switch to broadcast mode and essentially turns it into a hub. When this occurs, an attacker can sniff every packet going through the switch and capture anything and everything from the network.

Here’s a typical ARP spoofing attack with a hacker’s computer (Hacky) and two legitimate network users’ computers (Joe and Bob):

  1. Hacky poisons the ARP caches of victims Joe and Bob by using dsniff, ettercap, or a utility he wrote.

  2. Joe associates Hacky’s MAC address with Bob’s IP address.

  3. Bob associates Hacky’s MAC address with Joe’s IP address.

  4. Joe’s traffic and Bob’s traffic are sent to Hacky’s IP address first.

  5. Hacky’s network analyzer captures Joe’s and Bob’s traffic.

Cain & Abel for ARP poisoning

You can perform ARP poisoning on your switched Ethernet network to test your IPS or to see how easy it is to turn a switch into a hub and capture anything with a network analyzer.

Perform the following steps to use Cain & Abel for ARP poisoning:

  1. Load Cain & Abel and then click the Sniffer tab to enter the network analyzer mode.

  2. Click the Start/Stop APR icon.

    The ARP poison routing process starts and enables the built-in sniffer.

  3. If prompted, select the network adapter in the window that appears and then click OK.

  4. Click the blue + icon to add hosts to perform ARP poisoning on.

  5. In the MAC Address Scanner window that appears, ensure the All Hosts in my Subnet option is selected and then click OK.

  6. Click the APR tab to load the APR page.

  7. Click the white space under the uppermost Status column heading.

    This re-enables the blue + icon.

  8. Click the blue + icon and the New ARP Poison Routing window shows the hosts discovered in Step 3.

  9. Select your default route.

    The right-hand column fills with all the remaining hosts.


  10. Ctrl+click all the hosts in the right column that you want to poison.

  11. Click OK and the ARP poisoning process starts.

    This process can take anywhere from a few seconds to a few minutes depending on your network hardware and each hosts’ local TCP/IP stack.


  12. You can use Cain & Abel’s built-in passwords feature to capture passwords traversing the network to and from various hosts simply by clicking the Passwords tab.

The preceding steps show how easy it is to exploit a vulnerability and prove that Ethernet switches aren’t all they’re cracked up to be.

MAC address spoofing

MAC address spoofing tricks the switch into thinking your computer is something else. You simply change your computer’s MAC address and masquerade as another user.

You can use this trick to test access control systems, such as your IPS/firewall, and even your operating system login controls that check for specific MAC addresses.

UNIX-based systems

In UNIX and Linux, you can spoof MAC addresses with the ifconfig utility. Follow these steps:

  1. While logged in as root, use ifconfig to enter a command that disables the network interface.

    Insert the network interface number that you want to disable into the command, like this:

    [root@localhost root]# ifconfig eth0 down
  2. Enter a command for the MAC address you want to use.

    Insert the fake MAC address and the network interface number (eth0) into the command again, like this:

[root@localhost root]# ifconfig eth0 hw ether

You can use a more feature-rich utility called GNU MAC Changer for Linux systems.


You can use regedit to edit the Windows Registry, or you can use a neat Windows utility called SMAC, which makes MAC spoofing a simple process. Follow these steps to use SMAC:

  1. Load the program.

  2. Select the adapter for which you want to change the MAC address.

  3. Enter the new MAC address in the New Spoofed MAC Address fields and click the Update MAC button.

  4. Stop and restart the network card with these steps:

    • Right-click the network card in Network and Dialup Connections and then choose Disable.

    • Right-click again and then choose Enable for the change to take effect.

  5. Click the Refresh button in the SMAC interface.

To reverse Registry changes with SMAC, follow these steps:

  1. Select the adapter for which you want to change the MAC address.

  2. Click the Remove MAC button.

  3. Stop and restart the network card with these steps:

    • Right-click the network card in Network and Dialup Connections and then choose Disable.

    • Right-click again and then choose Enable for the change to take effect.

  4. Click the Refresh button in the SMAC interface.

    You should see your original MAC address again.

Countermeasures against ARP poisoning and MAC address spoofing attacks

A few countermeasures on your network can minimize the effects of an attack against ARP and MAC addresses:

  • Prevention: You can prevent MAC address spoofing if your switches can enable port security to prevent automatic changes to the MAC address tables.

  • Detection: You can detect these two types of hacks through an IPS or a standalone MAC address–monitoring utility.

    Arpwatch is a Linux-based program that alerts you via e-mail when it detects changes in MAC addresses associated with specific IP addresses on the network.