arp spoofing principle and detection method in android environment

Posted by santillano at 2020-03-06

Test environment description

ARP working principle and deception principle

The network circulation of LAN is not based on IP address, but on MAC address.

When host a wants to communicate with host B, it is assumed that a and B are just started, or the ARP cache table is empty. When it comes to communication, generally speaking, they should complete a process of encapsulation and de encapsulation of data. Let's not talk about other layers, but only look at data link layer and network layer. On the side of a, as a data source, when sending data, the data is encapsulated into the network layer, and an IP header needs to be added, in which the active and target IP address fields, the source IP and the target IP are all known, so it can be successfully encapsulated, but the encapsulated package is handed over to the data link layer, and when it is encapsulated again, the problem occurs, because in the data link layer, It needs to be encapsulated into a frame, so in the active Mac and target MAC fields of the frame head, the source MAC is itself, of course, but what about the target Mac? No, That is, there is no actual address. Can the encapsulation continue? So is the communication going to terminate?

In fact, before encapsulation, host a will view its ARP cache table (we can manually view start run CMD arp-a). If there are Mac and IP information of the target host (host B) in the cache table, the frame can be formed smoothly. If not, it will go through an ARP parsing process. It sends out a broadcast request (a broadcast request, requesting the MAC address of the other party.) You can see it with sniffer.

There is a problem in the ARP request data: "Hello, I am, and my MAC address is a., what's your Mac address? " At this time, all hosts in the network segment can receive the broadcast. Only hosts with IP address will respond. At the same time, the receiving host will record the corresponding relationship between the IP address and MAC address of a and put them into the ARP cache. Through this process, a and B have the corresponding relationship between each other's IP and MAC, so the encapsulation of the second and third layers can be completed smoothly.

You can imagine that if a receives a response request from B after a broadcasts, at the same time, a third party C listens to A-B's conversation in some way, and intercepts the ARP response from B to a. He can change the MAC address field in this response to another MAC address, and then give the modified frame to a. Did a get two responses at this time? Who will it be based on? It will come later. By intercepting the modification, a will cache the modified Mac. A encapsulates the data frame with the wrong Mac, and the data is sent to the host that C can control.

The following figure shows the ARP table of the target after ARP deception:

Normal ARP table

ARP table after attack

Routing table

In a computer network, routing table or routing information base stores the path to a specific network address (in some cases, route metrics are also recorded). The routing table contains the topology information around the network. In short, the routing table works in the network layer. According to the routing table information, the host sends the IP data to be sent out from the specified network card.

The following figure shows the route table of the target:


Destination, gateway and mask all adopt reverse hexadecimal representation, such as 019614ac, which actually represents AC: 14:96:01, and conversion to decimal is

Destination, the target network segment of the route, will calculate the network segment with mask. The operation result is 00000000, indicating all network segments. The first record in the figure above indicates that the gateway of all network segments' data is, which is sent by WLAN 0 network card.

BSSID and SSID of WiFi:

SSID: ServiceSet identifier. SSID technology can divide a WLAN into several subnetworks that need different authentication. Each subnetwork needs independent authentication. Only authenticated users can enter the corresponding subnetwork to prevent unauthorized users from entering the network. SSID is the WiFi name.

BSSID: basic service setidentifier. BSSID is the MAC address of the WiFi access point.

The following figure shows the BSSID and SSID of the target:

As shown in the figure, BSSID is 24:05:0f:0f: Ce: 53, SSID is private

ARP Spoofing detection principle in Android environment

When users use mobile phones to connect to WiFi, they usually search for the name of WiFi, enter the password, and then connect to the Internet. In rare cases, they need to configure the gateway themselves, and the traffic is only exchanged with the gateway. Therefore, the user's default gateway is the WiFi access point, so the BSSID of WiFi and the user's gateway Mac will be the same. Based on this, the following ARP detection principle is provided:

If MAC 1 and MAC 2 are the same, then there is no ARP attack. If MAC 2 is not the same, then ARP attack is happening.

Derivation: if the user configures the gateway, that is, the IP recorded by route has no relationship with BSSID. According to the ARP occurrence, the gateway IP will not be modified. You can continuously monitor whether the MAC corresponding to the gateway IP in the ARP cache table is changing. The change indicates that the ARP is occurring or the ARP attack is over. You can combine other means, such as long-term statistics, to determine the correct gateway IP and MAC If the IP in RP table changes, ARP attack will be detected.


Based on the analysis of the principle of reverse WiFi protection order, this paper concludes that WiFi protection order can accurately detect the occurrence of ARP. Some technical details of WiFi protection order are as follows:

1. Monitor the changes of routing table and ARP in 5S cycle, and detect ARP Spoofing through the above principles. 2. After ARP occurs, the user will be prompted as follows:

Apk screenshot:


Apk Download:

Reference document

Introduction to ARP principle: P = 1

AC address table, ARP cache table and routing table:

ARP command:

[author / difcareer, this article belongs to the original article reward program of freebuf hackers and geeks (freebuf. Com), which is prohibited to reprint without permission]