Network ARP cache poisoning

Attack tree

1 Craft a valid ARP reply in which any IP is mapped to any MAC address 
2 Broadcast this message. All the devices on network will accept this message and will update 
  their ARP table with new Information
3 Gain control of the communication from any host in the network.
    3.1 Send an ARP reply mapping an IP address on network with a wrong or non-existent 
        MAC address. For example, a fake ARP reply mapping the network router IP with a 
        non-existent MAC will bring down the whole network.
    3.2 Send an ARP reply to the router mapping a particular host IP to your attack machine 
        MAC address and another ARP reply to the host machine mapping the router IP to your 
        attack machine MAC address. 
    3.3 Flood switch and sniff.


All the devices that are connected to the layer 2 network have an ARP cache. This cache contains the mapping of all the MAC and IP address for the network devices that particular host has already communicated with.


Many network switches when overloaded can start acting like a hub and start broadcasting all the network traffic to all the hosts connected to the network. As a hub, the switch does not enable its port security feature, and now it broadcasts all the network traffic. Sniff.

ARP cache poisoning exploitability

Poisoning ARP cache remotely is at minimum a 2-step exploitation chain, as it requires either physical access to the network or control of one of the machines in the network.