We can see an example in this Wireshark capture:
That packet puts an entry in to the ARP cache like so:
To see what happens when we mix up the addresses, we can use scapy, the packet manipulation program. We can do this (at the scapy prompt):
To send this:
With only the Sender MAC inside the ARP protocol payload, we get this cache update:
So, as you can see, by changing the ARP payload, we can change which MAC is put in the cache. Also, the scapy payload was not sent in response to an ARP request, and the cache had not aged off. But, the cache was updated. With some tuning this technique could be used to accomplish ARP poisoning, and a man-in-the-middle attack.
No comments:
Post a Comment