Notice that in this example, our gateway computer added this new entry into its ARP cache upon the receipt of an ARP Reply packet. The ARP protocol is so simple — just asking who has the IP and replying "I have the IP" — that there is no provision for any sort of security or authentication of the replying computer. In other words, any computer on the LAN could claim to have the IP in question.
The implementation of the ARP protocol is so simple and straightforward that the receipt of an ARP reply at any time, even when there are no ARP requests outstanding, causes the receiving computer to add the newly received information to its ARP cache.
Consequently, if the gateway computer were to receive a SPOOFED ARP REPLY from an attacking computer claiming that it was assigned an IP that belonged to some other computer, the gateway would trustingly and blindly REPLACE its current correct entry with the maliciously misleading replacement!
If at the same time the malicious attacking computer were to send a similar ARP reply to the computer being hijacked, maliciously replacing the ARP cache entry for the gateway computer, then any subsequent traffic bound for the gateway would instead be sent to the attacking computer. If the attacker forwards any of the redirected traffic it receives onto the proper original computer — after inspecting and perhaps even modifying the data — neither of the intercepted computers will detect that all of their communications is now being relayed through an unknown and probably malicious intermediary computer.
By merely injecting two ARP reply packets into a totally trusting LAN, any malicious computer is able to receive all traffic going back and forth between any two computers on the LAN such as any target machine and the LAN's gateway.
What does this mean?
ARP Reply spoofing for the purpose of ARP Cache Poisoning allows any computer on the local area network to obtain one of the most dangerous and powerful attack postures in network security: the so-called "Man In The Middle" (MITM). The man in the middle is able to monitor, filter, modify and edit any and all traffic moving between the LAN's unsuspecting and inherently trusting computers. In fact, there is nothing to prevent it from filling every computer's ARP cache with entries pointing to it, thus allowing it to effectively become a master hub for all information moving throughout the network.
Internet "switches" offer no help
As you can see from the diagram above, the use of a standard Internet switch (as compared with a hub), which prevents passive monitoring and sniffing of the LAN's traffic by isolating the traffic of each computer from all others, is of no help in the face of active ARP cache poisoning since the LAN's traffic is being actively sent to the attacking computer.
Is the threat from ARP poisoning just theoretical, or can it be easily accomplished?
The intrinsic weakness of Ethernet LAN security is well known within the hacker community and many easy-to-use "point and click" tools have been developed and are in constant use by malicious hackers. Since many of these tools have recently migrated from the less common Linux and Unix platform to the ubiquitous Windows environment, their use is rapidly becoming more widespread.
Here's text from the introductory description of a well known Windows tool set known as Cain & Abel http://www.oxid.it/index.html
Ethernet Insecurity by
Description: Leo and Steve discuss the design, operation
http://aolradio.podcast.aol.com/sn/SN-029.mp3
ARP - Q&A
http://www.geocities.com/SiliconValley/ ... k/arp.html
and peoples placed some patch and setup files on their ftp so that net can run fine.