/ARP Spoofing
SecurityApril 15, 2011

ARP Spoofing

This article assumes that you have a basic idea of what arp spoofing is , If you’re completely clueless please read the first part here : http://en.wikipedia.org/wiki/ARP_spoofing

Now that you know the basic theory , Let’s try the attack .

First , You’ll need the victims,gateway and your own MAC and IP address , you can do this in many ways I’ll use nmap for the victim and the gateway :

#-nmap <IP_address>

and ofcourse #-ifconfig for my own.

It’s a good idea to keep these in front of you since you’ll use them often :

-ATK : 192.168.1.4 at 00:1E:33:98:EA:E9

-Gateway:192.168.1.2 at 08:00:27:66:1B:6E

-Victim:192.168.1.41 at 08:00:27:50:C1:6F

 

the last thing you need is the arp packet , you’ll use it as a pattern for your customized ones , so you’ll need a sniffer -I’ll be using wireshark- , so open the sniffer and issue an arp query, Just ping something!

#-ping <ip_address>

now export the bytes in the packet into a file -I saved it as arp- and stop the sniffer.

 

Now it’s time to make some customized packets , actually just two , one for the victim and one for the gatway.

 

1-The Victim’s Packet : is sent to the victim to fool it that the attacker’s MAC address has the IP of the gateway , so let’s edit the RAW arp reply packet we have .

 

#-hexedit <file_name>

Don’t freak out now, It’s really just a matter of matching places , If you’ve notice I’m highlighting the Destination in the packet’s details and wireshark automatically highlights it for me in the raw packet , I pointed to the parts we’ll be editing in this attack , the ones circled in red are actually the core of the attack , here’s what happened :

-The Destination MAC: is where is package is headed , The victim.

-Sender MAC: the attacker , ofcourse.

-ARP Sender MAC : the attacker’s again.

-ARP Sender IP : the gateway’s IP , yes that’s the spoofing part.

-final the Target MAC and IP : the victim’s

 

now that you’re dont CTRL+X to save this -i’ll save it as arpVictim.

= = = = = = = = = =

2-The Gateway Packet : re-edit the raw packet , saved as “arpGw”

MAC: The gateway’s MAC.

-Sender MAC : The attacker’s MAC.

-ARP Sender MAC: the attacker’s.

-ARP IP MAC : the victim’s -spoofing-

-Target IP and MAC : the gateway’s.

 

But you’re not done yet , let’s make a little bash script that will send these two packets through a tool named file2cable and repeat every two seconds to prevent arp cache from recovering , note that for this attack to work , you need to enable ipv4_forward : #-echo 1 >/proc/sys/net/ipv4/ip_forward

#!/bin/bash

while [ 1 ];do

file2cable -i eth0 -f arpVictim

file2cable -i eth0 -f arpGw

sleep 2

done

 

now run the script …

 

Look what happens to the victims arp table :

 

before the attack:

after the attack:

Now if you try using a sniffer you’ll see that all the packets are sent to you first then forwarded to the gateway .

 

Ofcourse there are a lot of easier tools to launch an arp-spoofing attack all you have to do is pick up the target and the gateway and click a button , try exploring them specially ettercap.

Note : This topic is for educational purposes and I’m not responsible for any evil acts 😛

TAGS:

Related posts