This article was originally published in: Walker AI

Communication protocol refers to the rules and conventions that entities of both parties must follow to complete communication or service, so as to ensure the smooth transmission of data in the network to a certain place. As a network communication model, communication protocol provides a whole set of network transmission protocols. TCP (Transmission Control Protocol) and IP (Internet Protocol) are the earliest standards adopted in this family, so the communication protocol family is usually called TCP/IP protocol family.

Because of the hierarchical structure of the communication protocol in the network, when multiple layers of protocols work at the same time, the rules are similar to the stack space in the computer, so it is also called TCP/IP protocol stack.

1. How to communicate with each other?

1.1 Computer network architecture layer: OSI seven-layer model, TCP/IP conceptual layer model

1.2 Network Transmission Process Overview

2. What is ARP

The Address Resolution Protocol (ARP) is an Address Resolution Protocol and works in the Ethernet environment. On the Ethernet, data is addressed by MAC addresses rather than IP addresses. ARP translates known IP addresses into MAC addresses for addressing.

ARP works at the data link layer, communicates with hardware interfaces and provides services for upper-layer protocols. For example, when an IP packet is transmitted over the Ethernet, the Ethernet device does not recognize the 32-bit IP address but transmits the packet using a 48-bit Ethernet address (MAC address). In this case, you need to use ARP to resolve the IP address into a MAC address.

2.1 ARP Cache Table

Each host has an ARP cache table, which records the mapping between host IP addresses and MAC addresses in recent Ethernet interactions.

In Windows or Linux, you can run arp -a to view the local ARP cache table

2.2 DYNAMIC ARP Mapping

In dynamic mapping, every time a machine knows the LAN IP address of another host it needs to communicate with, it can use the protocol to find out the physical address. Dynamic mapping protocols are ARP and RARP.

  • ARP maps IP addresses to physical addresses

  • RARP maps physical addresses to IP addresses so that it can dynamically map ARP cache tables.

2.3 ARP Request and Response Process

(1) When PC1 wants to send data to PC2, PC1 checks the MAC address of PC2 in the local ARP cache table. When communicating on a LAN, you need to know the target and obtain the IP address and MAC address of the target.

② If PC1 does not find the MAC address corresponding to PC2 in the cache table, it broadcasts ARP request frames to all hosts on the Ethernet. This frame contains the IP address and MAC address of PC1 and the IP address of PC2.

③ All hosts on the Ethernet receive the broadcast ARP request and check whether their IP address is the IP address of PC2. If a mismatch is found, the ARP request is ignored.

④ PC2 finds that the requested IP address matches its own, and adds the IP address and MAC address of PC1 to the local ARP cache table.

⑤ PC2 sends the ARP reply packet containing its MAC address to PC1 in unicast mode.

⑥ After receiving the ARP reply packet from PC2, PC1 adds the IP address and MAC address of host PC2 to the local ARP cache table. Then, PC1 can communicate with P2 normally.

The local ARP cache has a lifetime. The default lifetime of ARP is 120s

2.4 ARP Packet Analysis

  • Hardware type: Indicates the type of hardware address (1 indicates an Ethernet address, and possibly a token ring address)

  • Protocol type: Indicates the protocol address type to be mapped (0x0800 indicates an IP address)

  • Hardware Address Length: Indicates the length of the hardware address in the packet (in ARP packets, the value is 6).

  • Protocol Address Length: The length of the protocol address in the packet (in ARP packets, the value is 4).

  • Op: operation field, 4 types (1.ARP request, 2.ARP reply, 3.RARP request, 4.RARP reply)

  • Sender hardware address: hardware address of the sender device

  • Sender IP address: indicates the IP address of the sender device

  • Destination hardware address: hardware address of the receiving device

  • Destination IP address: indicates the IP address of the receiving device

2.5 ARP Packet Capture



Enable the monitoring of ARP packets on the Ethernet in hybrid mode. According to the preceding packet format analysis, the selected ARP packet is an ARP broadcast packet sent by the host whose MAC address is 04: E6:76:68:59: EA to obtain the MAC address of the host whose IP address is 192.168.1.248.

3. Attack based on ARP

3.1 ARP Defects

The ARP protocol is based on the trust of all nodes in the LAN. It is efficient, but not secure. As a stateless protocol, it does not check whether it has sent a request packet or whether it is a legitimate reply. As long as it receives an ARPreply packet or an ARP broadcast packet from its target MAC, it will receive and cache it. This provides the possibility for ARP spoofing. Malicious nodes can issue fake ARP packets to affect the communication between nodes on the network, or even launch a “man-in-the-middle” attack.

3.2 Common ARP Attacks

(1) ARP disconnection attack: Forged ARP packets are frequently sent to the LAN and the ARP cache table of the attacked is forcibly tampered. As a result, all traffic of the attacked is sent to the attacker or an unknown address, and network requests cannot be sent to the public network.

(2) ARP manin-the-middle attack: similar to the disconnection attack, the difference is that traffic forwarding is opened. The attacked traffic will pass through the attacker before being forwarded to the public network, and the attacker can analyze the captured traffic information, or even tamper with it.

3.3 Analysis of ARP Attack Principle

① Fake ARPreply packets (unicast or broadcast) send fake IP/MAC addresses to single hosts or multiple hosts.

② Fake ARPrequest packets (unicast or broadcast) are actually unicast or broadcast fake IP,MAC mappings.

(3) The fake middleman enables packet forwarding to send fake ARPreply to hosts at both ends. Periodic continuous spoofing is sometimes required due to the ARP cache aging mechanism.

3.4 Attack Process

Using kali or centos systems, kali systems naturally come with a lot of attack tools, so the implementation is relatively simple, centos requires additional installation of tools * >Kali is a Linux distribution based on Debian. The goal is to include as many penetration and auditing tools as possible, so most open source tools for doing security testing are included. Kali is a security tool with classic information gathering tools like NMap and Wireskark, as well as password cracking tools like Hydra, Crunch, Hashcat, and John the Ripper.

It is important to note that Kali is not a system that can be used casually and can cause substantial harm if not used properly. Therefore, if Kali is used, please give full play to its advantages reasonably and legally, otherwise it will bring irreparable trouble to yourself as well as harm to others.

(1) Before launching an Intranet attack, you need to know the target and obtain the IP address and gateway address of the target.

To view information about hosts on the same LAN: >fping – ASG 192.168.xxx.0/24 >

How to identify which IP is the IP you want to attack, also can be based on the ARP cache table MAC address brand analysis, also can be legendary social engineering ~

② After finding the online host to attack, you can start a very simple one-line command attack.

Arpspoof -i eth0 -t 192.168.135.131 192.168.135.2 >

  • Eth0: nic

  • First IP: IP address of the attacked

  • Second IP: forged identity in his ARP cache table (e.g. write gateway IP here, he will think you are the gateway)

After the command is issued, there will be a continuous ARP bombardment, constantly telling the attacked, you want to find the gateway is me, you send me all the packets. When traffic forwarding is not opened, the attacked person should be off the network at present.

3.5 Defense Methods

  • Run the arp command to bind the real MAC address of the gateway on the client as follows: arp-d*(delete incorrect ARP table first)arp-s192.168.xxx. XXX xx-xx-xx-xx-xx(statically specify the MAC address of the gateway)

  • Perform static port and MAC address mapping on the switch.

  • The IP address and MAC address are statically bound on the router.

  • Use ARPSERVER to broadcast the correct IP-MAC mapping table of all hosts on the network segment at a certain interval.

  • The most important is to improve the user’s security awareness, develop good security habits, including: timely installation of system patches, set a strong password for the system, install firewalls, install effective anti-virus software and timely upgrade of the virus library

  • Do not actively engage in cyber attacks, do not run untrusted software.

Tips: Do not easily test such attacks in any real environment. You can build a virtual environment to test such attacks.


PS: more dry technology, pay attention to the public, | xingzhe_ai 】, and walker to discuss together!