|=-----------------------------------------------------------------------=|
|=--------------------------=[ ARP Poisoning ]=--------------------------=|
|=-----------------------------------------------------------------------=|
|=-------------------------=[ An Introduction ]=-------------------------=|
|=-----------------------------------------------------------------------=|




---=[ OSI 7 Layer Model

	7.  Application
		DNS/FTP/HTTP/SMTP/DHCP/etc
	6.  Presentation
		MIME/SSL/etc
	5.  Session
		L2TP/PPTP/NetBIOS/etc
	4.  Transport
		TCP/UDP/etc
	3.  Network
		IP/ICMP/IPsec/IPX/AppleTalk/etc
	2.  Data Link
		ARP/Ethernet/Frame relate/PPP
	1.  Physical	
		RS-232/V.34/Ethernet/USB/802.11x/etc

	Each lower layer becomes a wrapper around the upper layers.
	For example, HTTP traffic could be encrypted with SSL then
	sent across a VPN using PPTP on top of TCP which is sent to a
	host at a particular IP address over the Ethernet protocol
	using a MAC address on an 802.11g wireless link.

	For purposes of this discussion it is important to recongize
	that on the data link layer, hosts are addressed using the MAC
	or hardware address while on the network layer they are
	addressed using an IP address.

---=[ ARP
	
	Address Resolution Protocol (ARP) is used to make a link between
	the network layer address and the data link layer address for an
	individual host.  When the destination IP address is known, but
	the destination MAC address is unknown, the host will broadcast
	an ARP Request packet on the network.  This packet contains the
	IP and MAC address of the source as well as the IP address of the
	intended destination.  The host with the matching IP address is
	expected to reply with a ARP Reply packet containing its IP and 
	MAC address as well as the IP and MAC of the requestor.  Now the
	original host will send the necessary packets over Ethernet using
	the MAC address of the destination.

	ARP does not use authentication, so it is possible for a different
	host to respond to the ARP request and send a false response.  It
	is also possible for a host to send a reply when there was no
	corresponding request.  


---=[ Man-in-the-Middle Attack
	
	By sending false ARP replies to hosts on a network, it is possible
	to perform a man-in-the-middle attack.  Basically, you tell host A
	that you are 'B' and host B that you are 'A'.  Then forward the 
	packets that each host sends you to the other.

	+------+                                             +------+
    	|HOST-A| -------------------SWITCH------------------ |HOST-B|
    	+------+   .................  |  .................   +------+
        	                   :  |  :
                	           :  |  :
                        	   :  |  :
                               	   :  |  :
                                  +--------+
            Hello [A], I am [B] > |ATTACKER| < Hello [B], I am [A]
				  +--------+