ARP poison ? Educational purpose only!

Hello everyone, I am doing a paper on ARP poisioning, please help.
I have a router and a target computer.
Do the router and target computer automatically update their ARP cache whenever I send the fake IP-MAC address (in an ARP reply) to them? or they just do it after some time they send out the ARP request? Will they update their cache(with my fake ARP reply) after they have already received the true ARP reply?

By the way, do you know any good article on the subject, plz send me the link.
Thanks

probably shouldnt post this but go here for an introduction to ARP poisoning and welcome to the world of cain&able

http://www.oxid.it/downloads/apr-intro.swf

thnks , I've come to that site already, interesting knowledge, but I haven't got the answers to my questions.

been a couple years since I saw that tutorial and Im not gonna read it again instead Ill just answer the question.

Most operating systems will except an ARP reply without sending an ARP request therefor the answer is yes.
Yes it updates on every occurance of an ARP reply . with ARP poisoning you keep sending a false arp update before the cache expires this way the computer that is poisoned never sends a real arp request so the real host never replies.

ARP poisoning allows you to get around the functionality of switches so you can sniff other computers (basicly), for the same effect look into CAM poisoning or ARP table overflow attacks on switches this is when you send hundreds of thousands of bad ARP entries to a switch when its table gets full it will broadcast every packet out every port basicly turning a switch into a hub. Sniff away

Just thought of something since I gave info on how to do it Ill give the info on how to mitigate it.
any good switch will have a feature called "port security" USE IT! this maps a MAC address to a port. Cisco also has Dynamic ARP inspection as well as DHCP inspection (IP source guard).

thanks so much 4 your help.

I guess you know some defense strategies. Plz tip me some.

already did.
Port security allows you to go to each port on a switch and staticly put in a MAC address that corresponds to the PC or device attached to that port this way no other device can plug into this port as well if you try and arp poison from a port that is set the switch will shutdown your port since you are advertising someone elses MAC. you can also use dynamic port security this is where you say only a certain number of MAC addresses can be on a port (so peeps cant connect more switches etc..).
On cisco switch (I like cisco hehe) you can rate limit ARP advertisements using this command "ip arp inspection limit" eliminating the CAM overflow attack. as well cisco has dynamic ARP inspection which ensures that only valid ARP requests and responses are relayed. The switch does the following...

•Intercepts all ARP requests and responses on untrusted ports

•Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

•Drops invalid ARP packets

This is why I have a problem answering the question "how to become a haxxor" since you need to know the switches, routers, firewalls, server hardware, as well as the OS you are attacking (cant attack a server if you cant get to it). Also if a moderator would like you can remove the link above since it will take you to a tool that will do arp poisoning.

There's also a tool for unix systems to detect arp spoofing: arpwatch 1, 2



M.

good call M. Hirsch. I have mixed emotions on alarm type IDS systems the problem here is if no one watches the alarm it does nothing, yet if they are they can track it down to a specific user without them knowing you are on to them so you can watch what they are trying to do. By the way I see you have Debian, isnt SuSE the big *nix flavor in germany? Out of curiosity that is.

>> the problem here is if no one watches the alarm
Well, I think I don't need to comment on that


It used to be SuSE. But since the 8.x versions, it's no good anymore IMO. And since Novell bought them, they are becoming more like "Microsoft Linux". Although maybe this changed the other day when they decided to make it open source again. Let's see what comes now. I guess I won't like OpenSuSE. I didn't like Fedora or CentOS either.

Sometimes I wish I was a BSD hacker and that I could fix all those damn bugs within reasonable time. But I can't wait for stable support of WiFi and ACPI. Today is today.... Debian is the way to go if you choose Linux. The best distro I met so far. Other than that, I'd rather compile from source myself. (which I can do and am still doing with Debian)

...my $0.02...
M.

from my experience debian and BSD are the supreme choice for hardcore nix users. I like that Novell is porting its apps over to Linux it will make it a corporate alternative way quicker. I installed groupwise on SuSe for a lab when I started studying for novell certified linux engineer whent very well, I dropped that and am finishing CCNP.