Cross-network segment ARP spoofing attacks
Cross-network ARP spoofing is much more complex than ARP spoofing of the same network segment. It must combine ARP Spoofing with ICMP redirection attacks. Assume that A and B are in the same network segment, and C is in another network segment. For details, see table 2. Table 2: Table of IP addresses and MAC addresses of hosts in different CIDR blocks
User host |
IP address |
MAC address |
A |
10.10.100.1 |
00-e0-4c-11-11 |
B |
10.10.100.2 |
00-e0-4c-22-22-22 |
C |
10.10.200.3 |
00-e0-4c-33-33-33 |
First, the attacker C modifies the survival time of the IP package and extends it to enable sufficient broadcast. Then, as mentioned above, find the vulnerability of host B and attack this vulnerability, so that host B is temporarily unable to work. Then, attacker C sends an ARP packet from the IP address 10.10.100.2 with IP address B and MAC address 00-e0-4c-33-33-33 with MAC address C to. After receiving a response, a updates its ARP cache. In this way, the IP address B on host a corresponds to the MAC address of host C. However, when a sends a packet to B, it will still find the MAC address 10.10.100.2 in the LAN and will not send the packet to the router. In this case, ICMP redirection is required, the shortest path from host a to 10.10.100.2 is not a LAN, but a route. Redirect the route path to the host and send all the packets destined for 10.10.100.2 to the router. After receiving this reasonable ICMP redirection, host a modifies its route path and sends the packet destined for 10.10.100.2 to the router. In this way, attacker C can obtain data packets from the Intranet segment.