Overview
ARP poisoning, also known as ARP spoofing, is a link layer attack technique that allows an adversary on the local network to intercept, modify, or redirect traffic between systems by manipulating ARP tables. This type of attack is commonly used to perform adversary-in-the-middle (AITM) operations, enabling the interception of sensitive data such as credentials or authentication exchanges.
Attack Walkthrough
In a standard ARP poisoning attack, an attacker on the local network sends forged ARP responses that associate their MAC address with the IP address of a legitimate host, such as the default gateway. This poisons the ARP caches of nearby hosts, causing network traffic intended for the poisoned hosts to be redirected to the attacker and enabling interception, manipulation, or disruption of network communications.
This technique can be leveraged to intercept Kerberos authentication traffic between domain-joined computers and the domain controller. When a domain account initiates Kerberos authentication, an AS-REQ message is sent to the domain controller. This prompts an AS-REP message from the domain controller that contains encrypted authentication material that can be extracted and potentially cracked offline to recover the domain account's password.
Tools like ASRepCatcher are designed to intercept AS-REP messages as they are routed through the attacker's system. Once intercepted, the encrypted authentication material is displayed in a format suitable for offline hash cracking tools such as Hashcat. The screenshot below shows an example of this attack in action, where a domain user's AS-REP hash was intercepted during normal network authentication activity.
Security Impact and Risk
This attack technique enables an attacker to intercept encrypted domain credentials for any user authenticating on the network without requiring direct interaction with the domain controller or triggering alerts. Intercepted AS-REP messages can be cracked offline, allowing an attacker to recover valid domain credentials that may grant access to sensitive systems, applications, or information. The ability to obtain credentials in this manner poses serious risks:
- Initial Access or Privilege Escalation: A compromised user account can provide an entry point into internal systems or allow movement throughout the network. If the attacker is within broadcast range of a domain controller, this could have significantly more impact, as it would allow the interception of AS-REP messages from hosts outside of broadcast range.
- Persistence: Compromised credentials may allow long-term persistence if domain account passwords are not periodically rotated.
- Low Likelihood of Detection: Attacker uses traffic interception, making it difficult to detect with standard network monitoring tools.
Remediation and Hardening Recommendations
Mitigating the risk associated with this attack technique involves a combination of network-level protections, switch hardening, and continuous monitoring for suspicious ARP behavior. The following recommendations will strengthen your resiliency against ARP poisoning attacks:
- Enable Dynamic ARP Inspection (DAI) on all VLANs and ensure DHCP Snooping is properly configured where applicable.
- Use static ARP entries for critical systems like domain controllers and default gateways.
- Harden switch port security by limiting ports to known MAC addresses and enabling 802.1x where possible.
- Restrict direct communication between clients using Private VLANs or VLAN ACLs to block peer-to-peer traffic and reduce lateral attack paths.
- Monitor for ARP spoofing activity using tools like arpwatch or IDS/IPS with ARP detection capabilities.
- Enforce strong password policies and ensure legacy encryption like RC4 is disabled in favor of stronger algorithms (e.g., AES) to increase hash cracking difficulty. Additionally, monitor for Kerberos authentication requests that use RC4, as it likely indicates malicious activity, especially if RC4 is disabled.