Today we will talk about one type of the network-level attacks in the OSI layer 2, the ARP Spoofing attack, one of the most common and dangerous attacks on the network that leads to the Man In The Middle attack.
What you have to know before:
Before any two connected devices start communicating, each one must read and recognize the physical address of the other, which is known by the Mac Adress. For that, a protocol was developed for this process called the ARP protocol, which is responsible for sending an ARP request to the network in the form of a broadcast message asking for the specific physical address of a particular IP that it wants to communicate with, and in turn spreading this broadcast to the entire network until it reaches its intended destination (IP) , and when it finds the target address the remote computer sends back its mac address in a form of ARP reply, in other words, the ARP protocol resolves the mac address from the IP address.
The Attack :
After the response arrives from the target device, it is stored in a table called the Arp Table, so it will be easier if you connect to the device again later by referencing to the table and not sending another ARP broadcast.
The hacker starts his attack. by simply sending a fake ARP reply to one of the devices on the network, telling it a Mac address for one of the IP addresses and as if he wants to contact him, as if the operation was done normally by asking the device and The ARP table will be modified and changes the physical address of an IP, which is usually the gateway of the network, so from this point the hacker starts to send its data and requests to the hacker as if it is the router (gateway), and then all that the hacker does is redirects this data to its real destination, so the hacked machine will start sending data to the attacker as if it’s the router, and thus the hacker will be able to convert his machine to MITM (the attack in the Man in the Middle) and will be able to see and read all packets sent from the machine to the router.